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EDITORIAL 


¢¢ The stigma which 
is seemingly associ- 
ated with virus 
infection has no 
place ina healthy 
computing culture. 9 


Hype-Powered Reporting 


The residents of Suffolk will doubtless have enjoyed a delightful sense of security following this 
month’s furore over the virus outbreak at the Sizewell B nuclear power station. Imagine living in the 
shadow of this micro-processor controlled behemoth, only to discover that its very mind is riddled 
with computer viruses. Could such an event lead to a low-level format of East Anglia? 


The public’s perception of computer viruses is sketchy at best. When this is combined with a general 
fear of all things nuclear, the possibilities for a good story are endless. However, the important 
question is whether there was a real risk to safety. In this case, the answer is definitely no. So why 
has Nuclear Electric been castigated over a typical outbreak of a typical virus? The answer lies in the 
highly emotive nature of the issues involved (nobody actually explained why a virus on an office PC 
was worthy of national coverage) and in the public fascination with the various elements of which 
the story was made up. 


The machines in question at Sizewell were not in any way responsible for the safety of the plant, its 
workers or the public. For such machines, the type of precautions taken were adequate: companies 
like Nuclear Electric do not use PCs for safety-critical functions. The important parts of theSizewell 
system are armed to the teeth with backup systems, hardware overrides, safety trips and the like. 
Should Nuclear Electric have to install the electronic equivalent of prowling Dobermans, barbed 
wire fences and armed security guards to defend their non-critical systems in order to make the 
public feel safer? One would certainly hope not. 


There should be no corporate stigma in a couple of machines becoming infected with a computer 
virus. If infected media were shipped out of a company, or lives endangered, the public would have a 
right to know. However, the fact that a handful of machines happen to be infected with the Yankee 
virus is hardly a national security issue. In the case of Sizewell’s Yankee outbreak, the virus was 
discovered shortly after the machine had become infected - had the virus existed on the network for 
several months without detection, it is possible that the concern displayed might have been justified. 


A little learning can be a dangerous thing. Although everyone is aware of the fact that computer 
viruses can spread from one PC to another, the popular misconception persists that viruses can jump 
platforms, with mainframes becoming infected by their less resilient cousins, the PCs. This is not the 
case, nor is it likely to become so. 


The entire Sizewell virus outbreak has served as a reminder of the limitations of the IBM PC: itis 
not, and was never designed to provide, a secure working environment. For those applications which 
need to run with a very high degree of reliability, itis not the appropriate machine. The more security 
is added to a computer, the less usable it becomes - a fact which is particularly true for the DOS- 
based IBM PC. If misleading press coverage leads to the development of a security-paranoid culture, 
the result will be less efficient use of computers, making the end product more expensive to produce, 
be it sausages or nuclear power. 


The entire computer virus issue is something which desperately needs good media coverage, based 
upon fact. Public humiliation of companies whose machines become infected does nothing but harm. 
The hysterical ‘viruses invading our computers’ style of reporting has planted seeds of distrust in 
computing which will grow to block out new and possibly useful thoughts and ideas. 


The stigma which is seemingly associated with virus infection has no place in a healthy computing 
culture. If the wave of negative publicity generated by theSizewell virus ‘calamity’ prevents compa- 
nies coming forward and discussing the true scale of the virus problem, the price of using ‘sensation- 
alistic’ journalism will have been a high one. The virus issue should not be swept under the carpet in 
the hope that it will go away. If the PC virus problem is not publicised in the right way, it will get 
worse - and the entire suppurating mass will have to be removed piecemeal. By making companies 
afraid of the brief sting of the antiseptic, the Press is endangering the entire limb. 
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NEWS 


Getting away with IT 


November 25th saw the launch of a new joint initiative 
between the Metropolitan Police, IBM (UK) and PC Plus. 
With the snappy catchphrase of ‘Don’t let them get away 
with IT’, the sponsors of the venture hope to make the job of 
the computer criminal much more difficult. 


The scheme was launched with a morning of presentations at 
IBM’s South Bank offices. The speakers included Nick 
Temple (Chief Executive, JBM (UK)), Dave Veness (Deputy 
Assistant Commissioner, Metropolitan Police Service), 
Inspector John Austin (Computer Crime Unit), and Mark 
Drew (also from JBM (UK)). 


The campaign is designed to help the users help themselves 
by protecting their own systems. Good computing practice 
was strongly advocated, with the usual pleas for regular 
backups, the judicious use of write-protect tabs on disks, and 
the scanning of incoming disks. The task of educating the 
user can sometimes be a difficult one: just by following these 
three simple steps, much of the damage caused by computer 
viruses could be eliminated. 


Dave Pullin, JBM’s Software Business Director, underlined 
how to utilise the best defence against computer viruses: the 
backup. ‘As with so many things in life, we often don’t 
appreciate the value of data until it is gone,’ cautioned Pullin 
- a statement which anyone who has had first hand experi- 
ence of the Michelangelo virus will know well. 


However, the aims of the schemes go far beyond mere virus 
prevention. It is hoped that all aspects of computer crime can 
be combatted by relatively simple measures, though such 
preventative medicine has proven difficult to sell. 


During the closing session, the most interesting point was 
raised: that of resources. It is no secret that computer crime 
requires many resources for its investigations. With the CCU 
consisting of only ahandful of overworked officers, would 
the Metropolitan Police make any further resources avail- 
able to investigate computer crime? 


In reply, Inspector John Austin of the CCU said that it had 
sufficient resources at this time. However, when quizzed 
after the press conference, he admitted that in an ideal world, 
more resources would greatly help, and that the CCU had to 
fight for its budget, just like other specialist units inNew 
Scotland Yard. How high on Scotland Yard’s list of priori- 
ties is computer crime? 


This worry, coupled with the impending loss of one of the 
CCU’s most experienced officers, DC Noel Bonczoszek, is a 
cause for concern. The transferral is simply part of standard 
police staff rotations. Although Bonczoszek will be replaced 
by anew officer, the loss of his expertise will make the 
CCU’s tough job even harder 
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Virus Prevalence Table - October 1993 






























































Virus Incidents (% ) Reports 
Form 18 36.7% 
New Zealand ll 5 10.2% 
Spanish Telecom 5 10.2% 
V-Sign 4 8.2% 
Cascade 2 4.1% 
Nolnt 2 4.1% 
Parity Boot 2 4.1% 
1575 ib 2.0% 
Brunswick 1 2.0% 
Eddie 1 2.0% 
Even Beeper 1 2.0% 
Exebug-1 1 2.0% 
Helloween 1 2.0% 
Monkey a 2.0% 
Necropolis i 2.0% 
Tequila 1 2.0% 
V2P6 1 2.0% 
Vacsina 1 2.0% 
Total 49 100.0% 











ITSEC Revisited 


Four and a half months after the first meeting on the govern- 
ment’s TSEC product evaluation scheme, discussion of how 
best to certify anti-virus software still grinds on. 


The second meeting of the Anti-Virus Working Group was 
held in London on November 3rd. The main objective of this 
group is to forge closer ties between the government and the 
private sector, and the aim of the day was agreement on 
recording virus prevalence and statistics gathering (the least 
controversial part of the master plan). 


Discussion raged for the better part of the morning as to the 
best methods for recording and reporting incidences of virus 
outbreaks - it was eventually decided that an incident 
recording form, a draft of which was tabled, would be an 
effective way of achieving both. Many of those present 
already had some form of incident logging system, and so it 
was felt that the suggested system would not incur major 
changes in the current practice. 


Delegates all agreed that information on attacks should be 
reported to the Central Computer and Telecommunications 
Agency, and that victims should be encouraged to report the 
incidents to the Computer Crime Unit at New Scotland 
Yard. The CCTA agreed to collate the data gathered, due to 
the commercially sensitive nature of the informationll 
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Viruses In the Wild 


In anew cooperative effort led by Symantec’s Joe Wells, a 
list of viruses known to be in the wild is being compiled. 
Current contributors to this list are Alan Solomon (S&S 
International), Dave Chess (IBM), Eugene Kaspersky 
(KAMD), Fridrik Skulason (Frisk International), Glenn 
Jordan (Datawatch), Joe Wells (Symantec), Paul Ducklin 
(CSIR), Padgett Peterson, Roger Riordan (CYBEC), Vesselin 
Bontchev (University of Hamburg), Wolfgang Stiller (Stiller 
Research), and Yuval Rakavi (BRM). 


Rather than attempting to measure virus prevalence, the list 
is designed to show exactly which viruses are actually 
spreading. In order for a sample to be added to this list, an 
infected file or disk has to be received and verified by one of 
the members compiling statistics. 


The following is a list of viruses confirmed to be in the wild, 
and should be of use to anyone interested in the epidemiol- 


ogy of computer viruses: 


CARO NAME 
Barrotes.A 

Butterfly 
Cascade.1701.A 
Cascade.1704.A 
Changsha 

Chinese Fish 
Dark_Avenger.1800.A 
Dark_Avenger.2100.SLA 
Datalock.920 
Den_Zuko.A 

Dir-ILA 

Disk_Killer.A 
Even_Beeper 
EXE_Bug.A 
EXE_Bug.C 

Fichv.2_1 

Filler 

Flip.2153.A 

Flip.2343 

Form 

Frodo.Frodo.A 

Green Caterpillar 
Helloween 

Jerusalem. 1244 
Jerusalem.1808.Standard 
Jerusalem.Anticad.4096 
Jerusalem.Fu_Manchu 
Jerusalem.Mummy.2_1 
Jerusalem.Zerotime.Austr 
Joshi.A 
Kampana.3700:Boot 
Keypress.1232.A 
Liberty 

Maltese Amoeba 
Music_Bug 

Necros 
No_Frills.Dudley 
No_Frills.No_Frills 
Nomenklatura 
November_17th.855.A 
NPox.963.A 
Parity_Boot.B 

Ping Pong.B 
Print_Screen 

Quit.A 

Quox 


ALIAS 
Barrotos 


1701 

1704 

Centry 

Fish Boot 
Eddie 

V2100 

V920 

Den Zuk 
Creeping Death 
Ogre 


CMOS 
905 


Omicron 
Omicron 


4096, 100 Year 
Find, 1591 


1244 
1808 
Invader 


Slow 


Telecom, Drug 
Turku, Twins 
Mystic, Magic 
Trish 


Gnose, Irish3 
Oi Dudley 


Nomen 
V855 
Evil Genius 


Italian 
PrnScn 
555, Dutch 


Screaming Fist.696 
Stealth. BSTB 

Stoned.16 

Stoned.Azusa 
Stoned.Empire.Monkey 
Stoned.June_4th 
Stoned.Manitoba 
Stoned.Michelangelo 
Stoned.NoINT 
Stoned.NOP 
Stoned.Standard.B 
Stoned.Swedish_Disaster 
Stardot.789 

SVC.3103 

Tequila 

Tremor 

V-Sign 

Vacsina.TP-05 
Vacsina.TP-16 
Vienna.648.Reboot 
WXYC 

Yale 

Yankee Doodle.TP-39 
Yankee Doodle.TP-44.A 
Yankee Doodle.XPEH.4928 
Yeke.1076 


696 


Brunswick 
Hong Kong 


Bloody! 
Manitoba 
March 6 
Stoned 3 


New Zealand 


805 
SVC 5.0 


Cansu, Sigalit 
RCE-1206 
RCE-1339 
DOS-62 


Alameda 
RCE-2772 
RCE-2885 
Micropox 


The following viruses have only been seen by one member of 


the cooperative: 


CARO NAME 


10_Past_3.748 

Brain 
Cascade.1701.G 
Coffeeshop:MtE_090 
Darth_Vader.3.A 
Datalock.828 
DosHunter 
Emmie.3097 
EXE_Engine 

Flame 

Ginger 

Hafenstrasse 
Involuntary.A 
Jerusalem.1808.CT 
Jerusalem.1808.Null 
Jerusalem.Carfield 
Jerusalem.Montezuma 
Jerusalem.Mummy.1_2 
Jerusalem.Sunday.A 
Jerusalem.Sunday.II 
Joshi.B 

Little Brother.307 
Lyceum.1788 
Murphy.Smack.1841 
NJH-LBC 

Ontario. 1024 
Parity_Boot.A 
Sat_Bug 

Sleepwalker 

Stinkfoot 
Stoned.Bunny.A 
Stoned.Empire.In_Love 
Stoned.Empire.Int_10 
Stoned.W-Boot 
Swiss_Boot 
Swiss_Phoenix 
Syslock.Syslock.A 
Voronezh. 1600 


ALIAS 


1701 


Gingerbread 
Hafen 

Invol 

Capt Trips 


Sunday 
Sunday 2 


Smack 
Korea Boot 
SBC, 1024 


Satan Bug 


RCE-1600 i 
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IBM PC VIRUSES (UPDATE) 


The following is a list of updates and amendments to 





the Virus Bulletin Table of Known IBM PC Virusesas Type Codes 


of 25th November 1993. Each entry consists of the virus 
name, its aliases (if any) and the virus type. This is 
followed by a short description (if available) and a 24- E_InfectsEXEfiles 
byte hexadecimal search pattern to detect the presence of 
the virus with a disk utility or preferably a dedicated 
scanner which contains a user-updatable pattern library. 


Barrotes.1303 


Blinky 


Checksum.1253 


Clonewar.546 


Finnish.709.C 


Halloechen.B 
Helloween. 1384 
Mirror.B 
Never Mind 


No Frills.835 





Nygus 


Osiris 


PC-flu.763 


Pinky 


Pit 


Pixel.300 


Pixel.847.Advert.C 


Infects COM files M_ Infects Master Boot Sector 
(Track 0, Head 0, Sector 1) 
Memory-resident after infectio 
Infects DOS Boot Sector eur oy akan 


(logical sector 0 on disk) Companion virus 


N Notmemory-resident L_Linkvirus 











CER: An encrypted, 1303 byte variant of the Barrotes virus, which activates on September 23rd. 
Barrotes.1303 5F57 83C7 O7B9 F904 2E80 2D?? 47E2 F9E9 DAFE 


CR: A 1302 byte virus, probably written by the same author as Pinky. 
Blinky 8A26 0901 B9C2 O4BE O0CO1 8BFE FCAC 32C4 AAE2 FAC3 OEO7 OEI1F 


CER: Very similar to the 1233 byte variant, but 20 bytes longer. 
Checksum. 1253 832E 0300 5083 2E02 0050 OBC9 740B 508C C040 8ECO B449 CD21 


P: A 546 byte long variant of this family of companion viruses. 
Clonewar.546 93B9 2202 BAOO 01B4 40CD 21B4 3ECD 21BA 5702 B903 O0B8 0143 


CR: This variant was recently reported ‘in the wild’ in Finland. It is not significantly different from the 
original virus (which was first named F-709), and is detected by the same pattern. 


CER: Almost identical to the original. Detected with the Halloechen pattern. 

CER: A new, 1384 byte variant, detected with the Helloween search pattern. 

ER: 924 bytes long, just like the original, and with the same effect. Detected with the Mirror pattern. 
CR: An encrypted, 838 byte virus. Awaiting analysis. 

Never Mind BB?? ??8B F3BF ???? B923 03B2 ??8A 0400 0530 1546 4781 FE 


CER: Similar to the 843 byte variant, but not fully analysed. 
No Frills.835 3D32 5475 04B8 0710 CF80 FC4B 7418 80FC 3D74 1380 FC43 740E 
CN: The following three variants of the Nygus virus are much smaller than those reported earlier, and 


somewhat different (for example, these samples are non-resident). However, they are obviously related, 
and these three just seem to be earlier versions. 


Nygus.163 B440 CD21 BO02 E82B 00B1 A3BA 0501 B440 E82A 00B4 3ECD 21B4 
Nygus.227 B800 40CD 21B0 02E8 3200 B1E3 BAO5 01B4 40E8 3100 B43E CD21 
Nygus.295 B440 CD21 BO02 E841 OO0B9 2701 BAO5 01B4 40E8 4C00 B43E CD21 


CN: This 299 byte virus activates on September 30th, where it has a 10% chance of displaying the 
message, ‘Osiris Presents / The Trish Virus . Luv and Hugs OSiRiS’. 
Osiris B939 OOBE 0000 8A94 EFO1 80F2 C646 B402 CD21 E2F2 B44E 33C9 


CR: This 763 byte variant is quite similar to the 802 byte one. It is detected with the original PC-flu 
pattern. Not fully analysed. 


P: An encrypted, 952 byte companion virus, which contains the message “The Pac-Man PINKY Ghost is 
watching (Can you find Inky?)’. 


Pinky 8A26 0701 B958 O3BE OAO1 8BFE FCAC 02C4 AAE2 FAC3 8A26 0701 


CN: A simple, 492 byte virus that does not appear to do much but replicate. 
Bit. 438A 2780 FCE9 7403 B400 C383 C303 8A27 80FC 1274 03B4 00C3 


CN: A minor variant, detected with the Pixel.277 pattern. 


CN: A very minor variant, detected with the Amstrad pattern. 
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Predator C(E)R: Five encrypted viruses are now known in this family. The 1072, 1137, 1148 and 1195 byte 
viruses only infect COM files, but the 2448 byte variant also infects EXE files. 


Predator.1072 BAOC 02Bl ??FA 8BEC BC?? ??58 F7DO D3C8 50EB 01?? 4C4C 4A75 
Predator.1137 BA2E 02B1 ??FA 8BEC BC?? ??58 F7DO D3C8 50EB 017? 4C4C 4A75 
Predator.1148 BA33 02Bl ??FA 8BEC BC?? ??58 D3C8 50EB 017? 4C4C 4A75 F4 
Predator.1195 BA4A 02B1 ??FA 8BEC BC?? ??58 D3C8 50EB 01?? 4C4C 4A75 F4 
Predator .2448 ORIF BF?? 2?BG 2772 BOBD 0449 “7608 272? 222? 4PAF EBFS 


Quadratic.1283 CER: A polymorphic, 1283 byte virus which contains the string ‘Quadratic Equation IT’. 


Traveler Jack EN: Three new variants of this virus have now been discovered, 854, 979 and 982 bytes long. They are 
all encrypted, and the decryption loops have been modified so that no single search pattern can detect 
them all. The 979 byte virus is detected by certain virus scanners as a variant of the Flower virus, and 
examination revealed that the Flower virus should be re-classified as Traveler_Jack.883. 
Travdack.854 8CC8 8ECO 2E8C 1E88 038E D880 3E02 0090 7416 BB36 008A 1602 
Travdack.979 8CC8 8ECO 8ED8 803E 3100 0074 258A 1631 OOBB 3700 8A07 32C2 
Travdack. 982 OEOE 5807 2E8C 1E0A 0450 1F8A 1631 OOBB 3700 803E 3100 0074 

Trivial C(E)N: Several new viruses which belong to the ‘Trivial’ family are now known. The search patterns 
given below are shorter than normal, because the pattern would otherwise contain far too much of the 
actual virus code. 




















Trivial.26.B 2A2E 2A00 5656 B44E 5A41 CD21 83EA 62 
Trivial.27.C B43C CD21 93B4 405A CD21 C32A 2E2A 00 
Trivial.28.C 2A2E 2A00 5656 91B4 4E5A CD21 83EA 62 
Trivial.29 CD21 93B4 40Bl1 1D5A CD21 C32A 2E2A 00 
Trivial.30.F CD21 93B4 40Bl 1E5A CD21 C32A 2E2A 00 
Trivial.40.A B440 B128 BAOO O1CD 21B4 3ECD 21CD 202A 2E43 
Trivial.40.B BAOO 0193 B440 CD21 B44C CD21 2A2E 636F 6D00 
Trivial.40.D 40B1 2856 5ACD 21B4 3ECD 21B4 4FEB E1C3 
Trivial.40.E 2A2E 3F3F 3F00 86F0 B43D B29E CD21 93B4 40BA 
Trivial.40.F 0001 B440 CD21 B43E CD21 B44F EBE1 2A2E 2A00 
Trivial.42.D 40B1 2ABA 0001 93CD 21B4 3ECD 21B4 4FEB DFC3 
Trivial.42.E 40Bl1 2ABA 0001 CD21 B43E CD21 B44F EBEO C32A 
Trivial.43 40B1 2B56 5ACD 21B4 3ECD 21B4 4FEB E1C3 
Trivial.44.D 40B1 2CBA 0001 CD21 B43E CD21 B44F EBEO C32A 
Trivial.45.D 40BA 0001 CD21 B43E CD21 B44F EBE1 C32A 2E43 
Trivial.40.C 2A2E 434F 4D00 86F0 B43D B29E CD21 93B4 40BA 
Trivial.44.C 8BD8 B440 CD21 B43E CD21 CD20 2A2E 636F 6D00 
Trivial.102 B900 OOBA 5301 CD21 720B B966 OOBA 0001 93B4 








In addition, several new search strings are included below to detect the new viruses in the PART_1.ZIP archive. [See page 9. Ed.] 
Carioca.B O1FC F3A4 B800 O1FF E02E 8B1E 0301 81C3 7C05 53B1l 04D3 EB43 

















DA.2100.DI.B D3E8 8CD1 4003 C18C D949 8EC1 BFO2 OOBA OCO1 8BOD 2BCA 3BC8 
DataCr.1168.B 3601 014E 4E4E 8BC6 3D00 0075 O03E9 FEOO 8DBC DBO4 BBOO O1B9 
DataCr.1280.B 3601 0183 EEO3 8BC6 9090 9075 O03E9 0201 8DBC ECO4 BBOO O1B9 
Hymn .B FF64 F500 07E8 0000 5E83 C6B4 FC2E 81BC 4207 4D5A 740E FA8B 
Kemerovo.E 0400 89C7 B904 00A4 E2FD 525F 29D3 81EB C100 899D BBOO 29C9 
Wisconsin.B 8BOE 0601 8A04 34FF 8804 46E2 F7B4 1ABA 3901 CD21 E8Bl FDE8 
Fu Manchu.D B4E1 FCCD 2180 FCE1 7316 80FC 0472 11B4 DDBF 0001 BE20 0803 
Fumble.867.E 5351 521E 0656 OEIF E800 005E 83C6 DCFF 4C16 837C 1603 7505 
Ww.217.D BFOO 0181 CeD2 01A4 A490 90A4 5EB4 4EBA C901 03D6 BOFF FFCD 
PSOR.B B80F FFFC CD21 3D01 0174 3B06 B8F1 35CD 218C C007 3D34 1274 
Vienna.623.B FC8B F2BF 0001 83C6 O0A90 9090 A5A4 8BF2 B430 CD21 3C00 7503 
Vienna. 623.C FC8B F2BF 0001 83C6 OAA5 9090 90A4 8BF2 B430 CD21 3C00 7503 
MG.3.C C43E 0600 49B0 BAF2 AE26 C43D 83EF DFEA 3902 0000 O61F 8B75 
YD.1049.B EB10 1E5A 83C2 102E 0316 2000 522E FF36 1E00 O61E 5053 B800 
ACad.3012.C B840 4BCD 213C 7890 7512 B841 4BBF 0001 BEC4 OB03 F72E 8B8D 
ACad.Mozart .B OFO0O 901F C31E 0633 C050 1FA1 1304 B106 D3E0 8ED8 33F6 8B44 
Syslock.D 8AE1 8AC1 3306 1400 3104 4646 E2F1 5E59 58C3 


Scott’s Val.B E800 O05E 5690 5B90 81C6 3200 B912 082E 8034 ??46 E2F9 
Perfume.BlankB FCBF 0000 F3A4 81EC 0004 BFBA 0006 57CB OEIF 8E06 5F00 8B36 
Quiet .B BBOO 0153 5052 1E1E B800 O08E D8BB 4000 A113 O4F7 E32D 6708 
Phoenix.800.C B981 0151 31D2 AD33 DOE2 FB59 3115 4747 E2FA 
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INSIGHT 


Sizewell B: Fact or Fiction? 


Anybody who keeps an eye on UK newspapers will have 
noticed that in the last month, computer viruses have hit the 
headlines once again. The cause of this wave of media 
publicity was the infection of computers at the Sizewell B 
nuclear power station. The story, with perceived danger to 
the public, nuclear power, and computer viruses, had all the 
elements necessary to be highly newsworthy, and much of 
the portrayal bordered on the hysterical. The key question 
was whether a virus could compromise safety at the plant. 


Power to the People 


As one drives up the A12 from London it soon becomes 
obvious that a large project is underway at Sizewell - the 
signs for the “Sizewell B construction traffic’ start before 
Ipswich, and lead the traveller down increasingly small 
roads until he eventually arrives at Nuclear Electric’s 
newest reactor site. The plant is situated on the east coast of 
England, near the sleepy town of Leiston: at first glimpse 
one has no idea of the size of the project. A number of power 
lines converge on the station from the surrounding area, and 
the white dome of the containment building stands out from 
the flat Suffolk countryside. 


Upon my arrival at the plant, I was directed to my parking 
place beneath one of the towering pylons which was hum- 
ming and crackling above me, and the true scale of the 
project began to dawn: at Sizewell, B clearly stands for big! 


Check your Disks Here 


When anyone enters the site they have to pass through a 
security checkpoint. Here, the visitor is asked if he is 
carrying any computer media, and if so, the disks are 





Sizewell B’s containment building, just one of the many different 
safety features built in to the reactor 











checked for viruses. Somewhat dog-eared posters adorn the 
doors of the security checkpoint, reminding users that ‘All 
computers must be checked’ and appealing to everyone to ‘B 
Safe’ - the system has clearly been in place for some time, 
rather than just put up after the recent virus attack. 


The machines which became infected with the Yankee virus 
were not part of the controversial Primary Protection System, 
but of the construction team’s Local Area Networks (LAN). 
“Let me explain the different systems we have here,’ said 
Dave Hollick, Site Manager. “There are the construction 
computers, and split off from them are the computers which 
actually control the site. The construction computer systems 
are linked into aLAN running OS/2. Another 120 dumb 
terminals link into the Nuclear Electric mainframe system 
based off-site. So the virus never affected the control 
systems. What we have here is basically a standard office 
system, and it was this which became infected.’ 


“The 29th of June was the date it happened. We had a full 
investigation of the incident, and all members of the team 
were re-inducted. We then got some press coverage locally 
in the East Anglia Daily Times, and thought that was the 
end of it,’ explained Hollick. ‘The virus infected the LAN 
and we found out on the day it became infected - even if the 
trigger hadn’t been so obvious, we would have found out the 
next day when people logged on to the system.’ 


The site policy is very strict. Every incoming disk should be 
checked by security at the door, although with a maximum of 
5,000 people working on-site at any one time, this can be a 
gargantuan task. ‘Each of the construction computers is 
checked for viruses when anyone logs on to the network, and 
since the Yankee outbreak, we have installed a new tool, 

PC Guard, so that it is impossible to run unauthorised 
software from floppy disks,’ Hollick adds. “We have three 
different virus scanners: Dr Solomon’s Anti-Virus ToolKit, 
Central Point Anti-Virus and Norton Anti-Virus. Computer 
security is something which we take very seriously.’ 


With so many different people using the site, it was probable 
that sooner or later, a computer would be infected by a virus. 
In this eventuality, would there be any threat to the safety of 
the plant? “Absolutely not!’ exclaimed Len Green, Press 
Officer. “The safety systems of the plant aren’t run on PCs. If 
you are using mission critical software, you have to ensure 
that computer corruption cannot make things unsafe.’ 


Fail Safe 


The easiest way to minimise the effect of computer error is 
having a large number of backup systems. The computers 
which actually control the Sizewell plant have the ability to 
shut the reactor down completely - was Green certain that 
they were not susceptible to virus infection? “Yes. The 
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software itself is blown onto 
PROMs, and then that’s that. An 
operator cannot add new code to the 
system. The most that can be done is 
that calibrations can be changed - 
something that is necessary ina 
system, however itis controlled.’ 


To anyone designing failure sensi- 
tive systems, the following precau- 
tions will be very familiar. The 
different parts of the system work on 
the principle of multiple layers of 
defence. The reactor itself is control- 
led and monitored by a dedicated 
system know as WISCO 
(Westinghouse System for Central- 
ised Operation). This system is 
backed up by the reactor protection 
systems, the Primary Protection 
System (PPS) and the Secondary 
Protection System (SPS). It is the 
PPS which seems to have caused the 
mostcontroversy. These protection 
systems would be used to shut the 
reactor down in the event of an 
emergency. How has Nuclear 
Electric made certain they are safe? 


The PPS consists of over 100,000 
lines of computer code. Although the 
system cannot possibly be infected 
by acomputer virus (it is stored only 
onread-only memory), there is 
always the possibility of bugs. “Let 
us assume for a minute that the 
Primary Protection System com- 
pletely malfunctions,’ explains 
Green. ‘Imagine a fault develops and 
the system ups the power instead of 
shutting it down. At this point the 
SPS cuts in. That doesn’t rely on 
computers at all, and cannot be 
overridden by an operator. Every 
safety critical feature of the plant is 
backed up: we don’t rely on any one 
system alone for safety.’ 


Media Attention 


Given that safety at the plant was 
never compromised, how does Green 
feel about the way in which the story 
was portrayed? ‘The frustration is 
that there are plenty of people who 
understand computer systems, who 
don’t understand the way in which 
nuclear power works. These people 
don’t know about the multiple fail- 
safes which we have.’ 





Hollick: ‘We have three different virus scanners: Dr Solomon’s Anti-Virus ToolKit, Central Point 
Anti-Virus and Norton Anti-Virus. Computer security is something which we take very seriously.” 











‘T’m still receiving calls from all over the place about this virus outbreak. I had a call 
from German television this morning - and the whole thing is anon-story!’ With 
perfect timing the telephone rings... itis another call from the press. “Things have 
been taken out of context, and the way in which it has been portrayed just has not 
been reasonable. I understand people wanting to know more - I want people to know 
more - but the system has not had a fair hearing. It makes my blood boil!’ 


From the half day spent at Sizewell, it certainly seems that Nuclear Electric takes the 
threat of viruses seriously, and is taking the right steps to prevent them spreading. 
“What’s the story? I carry this thing around,’ Green holds up his laptop computer, 
which is covered in copious amounts of ‘Virus Checked’ stickers. ‘I’m getting 
stickers at every location to show this computer has been virus-checked - look at it, 
it’s covered. We take computer security very seriously here. We’ ve already dis- 
missed an agency engineer for using unauthorised software. I know that if I cut 
across established procedures, my job is on the line! That’s been demonstrated.’ 


The Last Word 


It is clear that the Yankee virus never threatened the integrity of theSizewell B 
computer systems in any way whatsoever. Notwithstanding, Nuclear Electric 
decided to increase the level of IT security on the site, adding still more safeguards to 
the office system. Ifthe safety systems of the plant are completely isolated, does this 
mean that the extra virus protection is purely cosmetic - that is, security for security’s 
sake? ‘No, that’s not true. The one thing that none of us in the nuclear industry can 
ever forget is that it is impossible to be foo safe,’ explains Hollick. ‘Anything which 
makes the tools we use more reliable is always a good thing.’ 


Obviously there are lessons to be learned here for anyone responsible for running a 
mission-critical system. Firstly, if public alarm will result from a virus infection, this 
factor should be included in any risk assessment, and when deciding on security 
procedures. Secondly, the fact that Nuclear Electric made no effort to suppress the 
story acts in their favour: nothing looks worse than a bungled cover-up. Even in the 
nuclear industry, viruses are only a business problem. Having visited Sizewell, and 
seen their stringent security policies, it can be firmly stated that the Sizewell B 
‘incident’ should be viewed in its true light: fiction, all too loosely based on fact. 
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VIRUS UPDATE 


Part_1.Zip 


Fridrik Skulason 


The list of new viruses in the September 1993 edition of 
Virus Bulletin included two samples which had clearly been 
modified in order to avoid detection by one or more virus 
scanners. In each case, the modifications were minimal, but 
in the middle of the Virus Bulletin search pattern. 


Both these viruses (BOMB.EXE and YONDER.COM) were 
uploaded anonymously in July, accompanied by anote from 
somebody who claimed to be located in the Netherlands, and 
signed with the alias ‘Neuron’. 


Variants such as these appear with monotonous regularity, 
and no special attention was given to the two samples... 
until they were sent to the Technical Editor of Virus Bulletin, 
as a part of a much larger collection. This collection is a 
755,978 byte file named PART_1.ZIP, containing 266 files. 
A few of these files turned out to be duplicated elsewhere 
within the collection, while others were non-working or 
damaged viruses. However, the majority were new variants 
of known viruses. 


McAfee Targeted 


Researchers quickly noticed several interesting features of 
the collection. Itis very different from the typical virus 
collections which are obtained, directly or indirectly, from 
the ‘underground’. Typically, such compilations contain a 
large number of ‘garbage’ files which are not viruses (for 
example, Trojan programs or completely harmless files). 
However, this one was unusually clean. 


Not one of the viruses was detected by that version of SCAN 
from McAfee Associates current at the time, but other anti- 
virus programs fared significantly better, detecting 50%-95% 
of the viruses. The only conclusion possible to draw from 
this is that the viruses were specifically modified to avoid 
detection by SCAN. 


The most likely scenario seems to be that the person(s) 
responsible obtained a virus collection somewhere, and 
either decrypted the search strings used by SCAN, or used an 
existing list of McAfee’s search patterns. The viruses were 
then analysed one by one, and minor modifications made to 
the relevant part of the code. It should be added that the 
current version of SCAN (version 109) has been updated to 
deal with this collection, and it identifies 236 out of the 266 
files as infected. 


The name of the file (PART_1.ZIP) was worrying, as it 
implied that this was only part of a larger collection. So far, 
nothing more has been received, but researchers are con- 
cerned that one day 5000 new variants might be sent in! 


New Extensions 


The relative cleanliness of the collection was not its only 
unusual feature. The extension of each file had been ‘re- 
versed’: all files that were structurally EXE files had a COM 
extension, and vice versa. One can only speculate why this 
was done, but it may have been in order to defeat a primitive 
scanner to which the virus author had access. 


The choice of parent viruses was also intriguing. Every virus 
in the collection was old - there was not a single virus family 
written in the past two years. This was not all: quite a few of 
the samples in the collection were classified as ‘B’ variants 
of the original virus, meaning that no other variants had been 
reported before. These viruses were either generally unavail- 
able to the virus writing community, or were unpopular for 
some reason. 


The names of the samples appear to have been selected at 
random, instead of indicating the family to which the virus 
belongs, or any text messages contained within them. In fact, 
one researcher commented that many of the names were 
quite good, and might be used later when a name for a new 
virus was needed. If readers ever see a virus called Boson, 
Discus, Saffron or Turtle (to name a few), this is where the 
name originated! 


The changes made may have been carried out automatically 
by computer, or manually. Typical alterations are: 


¢ Swapping two instructions 


¢ Replacing an instruction with a different binary form 
(several instructions, such as XOR RW, RW, have two 
different forms) 


¢ Replacing an instruction with a series of instructions 
having the same effect (for example, replacing 
ADD BX, 3 with three INC BX instructions) 


¢ Replacing an ADD instruction with a SUB (or vice 
versa). This would typically involve substituting some- 
thing like ADD AX, 100 with SUB AX, -100. 


One cannot help but wonder why the author expended so 
much effort creating this collection, and then just uploaded it 
to a virus researcher, instead of spreading the viruses or 
uploading them to virus exchange BBSs. The fact that he 
seems to have targeted one particular product might indicate 
a particular dislike for that product or its producer. 


The following list of viruses is printed so that any confusion 
about the correct names and identities of the viruses can be 
avoided. The name of the VB pattern which will detect the 
virus is given, along with the sample name (as shipped by 
the virus author), and the correct name of the variant. All 
viruses not detected by existing VB patterns have been added 
to this month’s Virus Bulletin list of known PC viruses. 
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Sample name 


007.EXE 
ACAPULCO.EXE 
ACID.EXE 
AIX.EXE 
Al_OKO.EXE 
ALASKA.EXE 
ALMA_ATA.EXE 
ALPHA.EXE 
APPOLO.EXE 
ATARLEXE 
ATHENA.EXE 
BAKU.EXE 
BANZAI!.EXE 
BARBARA.EXE 
BELINDA.EXE 
BENSON.EXE 
BISTRO.EXE 
BOMB.EXE 
BOMBAY.EXE 
BONNY.EXE 
BOSON.EXE 
BOSTON.EXE 
BRAD.EXE 
BRAZIL.EXE 
BROKEN.EXE 
BRONCO.COM 
BULLDOG.EXE 
BUNKER.COM 
BURLEY.EXE 
BURP.COM 
BUTTER.EXE 
CARTER.COM 
CIAO.EXE 
CLINTON.EXE 
COACH.EXE 
COLLIDER.EXE 
COLT.EXE 
CONDOM.EXE 
COPENE.EXE 
CRISIS.COM 
CUT.EXE 
DAME.EXE 
DEACON.EXE 
DELTA.EXE 
DILDO.COM 
DISCUS.EXE 
EPHRAIM.EXE 
FEY.EXE 
FILTH.EXE 
FONDLE.EXE 
FORD.EXE 
FORTUNE.EXE 
FUCK.EXE 
GABRIEL.EXE 
GAMMA.COM 
GAMMA-7.EXE 
GATES.COM 
GENESIS.EXE 
GETTY.EXE 
GET_LOST.EXE 
GILLIGAN.EXE 
GINGER.COM 
GIZMO.EXE 
GLUON.EXE 
GOAT.EXE 
GOON.COM 
GOYA.EXE 
GRASS.EXE 
GREECE.EXE 


VB pattern 


Burger 

8-tunes 
Jerusalem-US 
Amstrad 
Vacsina 
*Syslock.D 
Jerusalem-1 
1067 
Datacrime2 
Oropax 
*Vienna.623.B 
Taiwan-c 
Jerusalem-1 
707 

Voronezh 
*Queit.B 

JoJo 
Eddie-2.d 
Solano 
*Carioca.B 
*DA.2100.DLB 
Yankee 
Violator 

Sat 14 

Burger 
TIcelandic_(2) 
wi3 

Vcomm 
Jerusalem-US 
Bestwish 
Taiwan-c 
Yankee 

5120 
Lovechild 
Jerusalem-US 
Dark Avenger 
Virdem 
Jerusalem-1 
Doteater 
Jerusalem-1 
Testvirus B 
*Wisconsin.B 
2480 
Taiwan-2 
Wolfman 
Violator 
Spanish 
Ambulance 
Frodo 

Justice 
*Scott’s Val.B 
Jerusalem-US 
Sunday 
Vacsina 
*ACad.3012.C 
Christmas-Japan 
Suriv_2.01 
Halloechen 
*Kemerovo.E 
405 
*DataCr.1280.B 
MIX1 

Frodo 
Jerusalem-US 
ACAD-2576 
Jerusalem-1 
Guppy 

Black Monday 
Slow 


Name 


Burger.560.AF 

Eighttunes.B 

Jerusalem. 1808.A-204.B 
Pixel.847.Advert.B 
Vacsina.TP.5.B 
SysLock.Syslock.D 
Jerusalem. 1808.Anarkia.E 
Headcrash.B 

DataCrime IL.1514.C 
Oropax.B 

Vienna.623.B 

Taiwan.677.B 

Jerusalem. 1808.Frere.D 
USSR-707.B 

Voronezh. 1600.B 
Stupid.919.Queit.B 

Cascade. 1701.Jojo.C 
Eddie-2.D 
Jerusalem.Solano.Dyslexia.B 
Carioca.B 

Dark Avenger.2100.DIL.B 
Yankee Doodle.TP.44.D 
Vienna.Choinka.B 

Saturday 14th.B 
Burger.560.AB 
Icelandic.Saratoga.B 
Vienna.W-13.507.D 
Vcomm.637.C 
Jerusalem.1808.sUMsDos.AA 
Best Wishes. 1024.C 
Taiwan.708.B 

Yankee Doodle.TP.44.E 
Vbasic.E 

Lovechild.488.B 

Jerusalem. 1808.A-204.C 
Dark Avenger.2000.Traveler.D 
Virdem.1336.German.B 
Jerusalem. 1808.Frere.H 
Doteater.C 
Jerusalem.1808.sUMsDos.AB 
Testvirus-B.B 

Wisconsin.B 

Crew.2480.B 

Taiwan.743.B 

Wolfman.B 

Vienna.627.B 
Traceback.2930.B 
Ambulance.E 

Frodo.H 

Justice.B 
Jerusalem.Zerotime.Scott’s Valley.B 
Jerusalem.1808.Blank.C 
Jerusalem.Sunday.I 
Vacsina.TP.16.B 
Jerusalem.AntiCad.3012.C 
Japanese_Christmas.600.E 
Suriv2.C 

Halloechen.C 

Kemerovo.E 

Burger.405.C 
DataCrime.1280.B 

Icelandic. MIX-1.F 

Frodo.F 

Jerusalem.Groen Links.D 
Jerusalem.AntiCad.2900.Plastique.D 
Jerusalem.1808.sUMsDos.AC 
Guppy.D 

Black Monday.1055.G 
Jerusalem.Zerotime.Australian.C 


Sample name 


GRISANTLEXE 
GUARDIAN.EXE 
HARBOR.EXE 
HEDGES.COM 
HENDRIX.COM 
HITMAN.EXE 
HOLSTEIN.COM 
HONGKONG.EXE 
HUMP.EXE 
HUNGER.EXE 
JAN.EXE 
IDAHO.EXE 
ILIAD.EXE 
INGRID.EXE 
ISIS.EXE 
JACKSON.COM 
JEDDAH.EXE 
JOYGIRL.EXE 
KENNEDY.EXE 
KENTUCKY.EXE 
KHEFRALEXE 
KICK.EXE 
KINKY.EXE 
KISS.EXE 
LA_BAMBA.COM 
LEPTON.COM 
LICK.EXE 
LONDON.EXE 
LUCKY.EXE 
LUSTY.EXE 
MARYLAND.COM 
MAYBE.EXE 
MCAFEE.EXE 
MEPHISTO.COM 
MEXICO.EXE 
MILLION.EXE 
MINISTER.EXE 
MISFIT.COM 
MOON.EXE 
MOORE.EXE 
MUCK.EXE 
MUD.EXE 
MULE.EXE 
NO.EXE 
NOTHING.COM 
NUCLEAR.EXE 
NUT.EXE 
NUTMEG.COM 
OF_COURS.EXE 
OMEGA.EXE 
OORT.EXE 
OREO.EXE 
ORION.COM 
OSIRIS.EXE 
OSLO.EXE 
PASTOR.EXE 
PEARL.EXE 
PEGASUS.EXE 
PENGO.EXE 
PEPPER.EXE 
PERHAPS.EXE 
PHOTON.COM 
PILGRIM.EXE 
PISS.EXE 
PLAYBOY.EXE 
PLEIADES.EXE 
PLEXUS.EXE 
POSSIBLY.EXE 
PRAVDA.EXE 


VB pattern 


Amstrad 
Sunday 
Burger 
Suriv_2.01 
Suriv_2.01 
Jerusalem-1 
Jerusalem-1 
Armagedon 
Shake 
Traceback 
*Hymn.B 
Dr.Q 
Jerusalem-US 
2144 
Taiwan-c 
Voronezh 
Testvirus B 
Interceptor 
Burger 
Plastique! 
*Fumble.867.E 
Sylvia 

Burger 
Jerusalem-US 
Black Monday 
Icelandic_(1) 
1024PrScr 
Diskjeb 

SVC 
Jerusalem-US 
SVC 

Number of E 
South Africa 
2144 

Diskjeb 
Pixel-277 
Wi13 

Yankee 

Dbase 

Black Monday 
Jerusalem-1 
Plastique! 
Frodo 
Bestwish 
Voronezh 
Yankee 
*PSQR.B 
SVC 
Taiwan-c 

711 

*Fu Manchu.D 
Destructor 
Suriv_2.01 
MGTU 
*DataCr.1168.B 
Vacsina 
*Phoenix.800.C 
Diskjeb 
Suriv_3.00 
Yankee 

VFSI 

MIX1 
*Perfume.BlankB 
Devil’s Dance 
Sunday 

MG 

Attention 
Oropax 

VP 


Name 


Pixel.847.Near_End.B 
Jerusalem.Sunday.H 
Burger.560.AC 
Suriv2.G 

Suriv2.D 

Jerusalem. 1808.Frere.E 
Jerusalem. 1808.sUMsDos.AD 
Armagedon.1079.D 
Shake.B 
Traceback.3066.B 
Hymn.Hymn.B 
Vienna.648.AA 
Jerusalem. 1808.sUMsDos.AE 
Hymn.2144.B 
Taiwan.708.B 
Voronezh. 1600.C 
Testvirus-B.C 
Vienna.Choinka.C 
Burger.560.F 
Jerusalem.AntiCad.2900.Plastique.C 
Fumble.867.E 
Sylvia.1332.E 
Burger.560.AE 
Jerusalem. 1808.sUMsDos.AB 
Black Monday. 1055.E 
Icelandic. 1.B 
Zherkov.1023.B 
Tenbyte.Diskjeb.B 
SVC.1689.D 

Jerusalem. 1808.Null.B 
SVC.1689.B 

No. of the Beast.AA 
Friday the 13th.540.C 
Hymn.2144.C 

Tenbyte. Valert.B 
Pixel.277.B 
Vienna.W-13.534.H 
Yankee Doodle.TP.44.F 
Dbase.E 

Black Monday. 1055.F 
Jerusalem. 1808.Frere.F 
Jerusalem.AntiCad.2900.Plastique.B 
Frodo.G 

Best Wishes. 1024.D 
Voronezh. 1600.D 
Yankee Doodle.TP.44.G 
Jerusalem.PSQR.B 
SVC.1689.C 
Taiwan.708.B 

Thirteen minutes.B 
Jerusalem.Fu Manchu.D 
Destructor.B 

Suriv2.E 

MGTU.273.B 
DataCrime.1168.B 
Vacsina.Joker.B 
Phoenix.800.C 
Tenbyte.Diskjeb.C 
Jerusalem.sURIV 3.B 
Yankee Doodle.TP.46.B 
VFSLB 
Icelandic.MIX-1.G 
Perfume.765.Blank.B 
Devil’s Dance.D 
Jerusalem.Sunday.J 
MG.2.D 

Attention.C 

Oropax.C 

VP.C 


VIRUS BULLETIN ©1993 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, 0X14 3YS, England. Tel +44 (0)235 555139. /90/$0.00+2.50 
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers. 





Sample name VB pattern Name 

PRICK.EXE Victor Victor.B 

PULPIT.EXE Burger Burger.560.AD 
PUSSY.COM Vcomm Vcomm.637.D 
RHO.COM Suriv_2.01 Suriv 2.F 

ROGER.EXE Taiwan-2 Taiwan.743.B 

ROT.EXE Subliminal Jerusalem.Solano.Subliminal.B 
SAFFRON.EXE *YD.1049.B Yankee Doodle.1049.B 
SALEM.COM SVC SVC.1689.D 
SALSA.EXE GhostBalls Vienna.648.AB 
SALT.COM Black Monday Black Monday.1055.H 
SANDY.EXE *WW.217.D WW.217.D 

SCAM.EXE Zero_Bug Zero Bug.B 

SCARE.EXE Jerusalem-1 Jerusalem.1808.sUMsDos.AG 
SET.COM December_24th Icelandic.December 24th.B 
SHANGHALEXE Liberty Liberty.E 

SHARK.EXE Wi3 Vienna.W-13.534.J 
SHIT.EXE Wwi3 Vienna. W-13.534.1 
SIGMA.EXE Jerusalem-US Jerusalem.1808.sUMsDos.AH 
SIN.EXE Parity Parity.B 

SIRIUS.COM Jerusalem-1 Jerusalem.1808.sUMsDos.AI 
SLASH.EXE 191 Danishtiny.163.B 
SMILE.EXE GhostBalls Vienna.648.AC 
SMURF.EXE Nina Nina.C 

SNAKE.EXE Russian mirror Russian mirror.B 
SOHO.EXE Kennedy Danish tiny.Kennedy.B 
SONAR.EXE Datalock Datalock.920.K 
SQUID.EXE Violator Vienna.648.AD 
STAB.EXE Jerusalem-US Jerusalem. 1808.Blank.B 
STALLION.EXE Murphy_1 Murphy.1277.B 
STRIKE.EXE 440 NoBock.B 
ST_PETER.EXE Wwi3 Vienna.W-13.537 
SUCK.COM Alabama Alabama.C 

SUSHLEXE Jerusalem-1 Jerusalem. 1808.Frere.G 
TANGO.EXE 707 USSR-707.C 
TASHKENT.EXE Doteater Doteater.E 
TERRIER.EXE MGTU MGTU.273.C 
THE_CULT.COM Jerusalem-1 Jerusalem.1808.sUMsDos.AJ 
THE_THE.COM Icelandic_(2) Icelandic.Saratoga.C 
THUNDER.EXE *MG.3.C MG.3.C 

TONGA.EXE *ACad.Mozart.B Jerusalem.AntiCad.4096.Mozart.B 
TRUST_ME.EXE Dark Avenger Dark Avenger.1800.F 
TURTLE.EXE Yankee Yankee Doodle. TP.44.H 
UTRECHT.EXE GhostBalls Vienna.GhostBalls.C 
UZLEXE Burger Burger.560.AA 
VAGELOS.EXE MLTI Red Diavolyata.830.B 
VEGEMITE.EXE Devil’s Dance Devil’s Dance.C 
VENICE.EXE Voron-370 Voronezh.600.B 
VERITAS.EXE Wi13 Vienna.W-13.507.E 
WHORE.EXE 492 SI-492.C 

WIDGET.EXE 417 F-you.417.B 
WINDSOR.EXE *Vienna.623.C Vienna.623.C 
WINSTON.EXE 516 Leapfrog.B 

X-17.EXE Zero Hunt Zero Hunter.415.C 
XXX.EXE Voronezh Voronezh. 1600.E 
YAHOO.EXE Westwood Jerusalem.Westwood.B 
YELLOW.EXE Diskjeb Tenbyte. Valert.C 
YONDER.COM Cookie.b SysLock.Cookie.B 
ZAP.EXE Taiwan-c Taiwan.752.B 

ZEUS.EXE Jerusalem-1 Jerusalem. 1808.Anarkia.D 
ZIMBABWE.EXE -no pattern- Flip.2343.B 

ZULU.EXE Yankee Yankee Doodle.TP.39.B 


A‘* infront of the name ofa search string indicates this is anew search string, first 
published this month. 


The second group includes viruses which either did notreplicate in testing, or have 
not yet been classified. Some of those samples are clearly damaged, and are incapable 
ofreplicating under normal circumstances. 


Sample name 


38-24-37.EXE 
ABRAHAM.EXE 
AMWAY.EXE 
BAHRAIN.EXE 
BENNY.COM 
BULL.COM 
CERTAIN.COM 
CHOLERA.COM 
CROTCH.EXE 
DANIEL.EXE 
DANZIG.EXE 
DICK.EXE 
DINGO.EXE 
DISNEY.EXE 
DOLPHIN.EXE 
DONKEY.EXE 
DONNA.EXE 
EROTICA.EXE 
EXPLODE.EXE 
FELINE.EXE 
FLEMMING.EXE 
GADGET.EXE 
GAY.EXE 
GEYSER.EXE 
GINSENG.EXE 
HADRON.EXE 
HIT.EXE 
HONGKONG.COM 
INTRO-1.EXE 
ISTANBUL.EXE 
JENNY.EXE 
JIHAD.EXE 
KAISER.EXE 
KEY_WEST.EXE 
KILL.EXE 
LLAMA EXE 
MALARIA.EXE 
MARY_LOU.EXE 
MELON.EXE 
NICOTIN.EXE 
NIXON.EXE 
NURSE.EXE 
PARTICLE.EXE 
PEANUT.EXE 
PEROT.EXE 
QUARK.EXE 
RAPE.EXE 
RISUTORA.EXE 
SACK.EXE 
SAND.EXE 
SNOW.EXE 
SUPER.EXE 
SYPHLIS.COM 
TOTO.EXE 
TURBO.EXE 
XYZ.EXE 
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VB pattern Variant of... 
GhostBalls Vienna.648 
Vienna 
Interceptor Vienna 
Agiplan Month4-6 
Jerusalem-1 Jerusalem. 1808 
Tcelandic_(1) Icelandic.1 
TIcelandic_(3) Icelandic.2 
TIcelandic_(3) Icelandic (2) 
SysLock 
Int13 
Number of F No. of the Beast 
Zero Hunt Zero Hunter 
Dr.Q Vienna.648 
Anthrax Anthrax 
1600 Happy New Year.1600 
Dark Avenger Dark Avenger. 1800.G 
Sunday Jerusalem.Sunday 
Vienna-5 Vienna. VHP.348 
Jerusalem-US Jerusalem.1808 
Do_nothing Stupid.583 
Bebe Bebe. 1004 
Sverdlov Dark Avenger 
Intercepter Vienna 
Frodo 
Vienna 
Phoenix.Proud 
Number of No. of the Beast 
December_24th Icelandic.December_24th 
GhostBalls Vienna.648 
Flash.688 
Plastique! Jerusalem.AntiCad.3012 
Vienna.435 
Jerusalem-US Jerusalem.1808 
Vienna 
Hymn.Hymn 
Lehigh Lehigh 
1600 Happy New Year.1600 
Kylie Jerusalem.Kylie 
Burger Burger.560 
Suriv_1.01 Suriv 1 
Burger Burger.560 
Suriv_1.01 Suriv 1 
Vienna.644 
Vienna-5 Vienna 
Datacrime2 DataCrime II 
696 On 64 
Burger Burger.382 
Jerusalem-US Jerusalem. 1808 
Amoeba 
Vienna 
South Africa Friday the 13th.416 
MLTI Red Diavolyata 
Vcomm Vcomm.637 
Suomi 
Number 1.AIDS.A 
Crazy Eddie Crazy Eddie 


In addition, afew viruses were represented by several samples: 


Samplesame 


COLGATE.EXE 
DISCOVER.EXE 
FOXTROT.EXE 
GRETHE.EXE 
KATYA EXE 
LASER.EXE 
LINGAM.EXE 
MAESTRO.EXE 
MURDER.EXE 
Q345.EXE 
YES.EXE 


Identical to... 


COACH.EXE 
DELTA.EXE 
DELTA.EXE 
DELTA.EXE 
ISIS.EXE 
HIT.EXE 
HIT.EXE 
LLAMA.EXE 
COLLIDER.EXE 
JIHAD.EXE 
OF_COURS.EXE 


Editor’s Note: Any reader with any further information about the author of this virus 
collection should contact The Editor, Virus Bulletin, or New Scotland Yard’s 
Computer Crime Unit. Tel. +44 (0)71 2301177. 
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VIRUS ANALYSIS 1 


The Monkey Virus 


Monkey is a new boot sector virus, reported to be at large in 
Europe. Two samples were sent for analysis, differing in 
both content and the location of various sections of code. 
However, they are undoubtedly variants of the same virus, 
presumably written by the same individual. Monkey has no 
trigger routine, but can cause serious damage, due to the 
method of operation. Its name is contained at the end of the 
code in both samples, hidden by a simple encryption routine. 


Installation and Operation 


This virus infects the Master Boot Sector of fixed disks when 
they are booted from an infected diskette. Processing begins 
by initialising the various code parameters needed. A request 
for available memory size is issued to the BIOS: one Kbyte 
is removed from the top of RAM, and the original system Int 
13h vector is collected into the virus code. The virus’ Int 13h 
interception routine is then hooked into the system, anda 
segment address is calculated, relocating the virus code to 
the top of memory. Next, the MBS of the first fixed drive is 
read into memory. Should signs of infection be found, the 
virus identifies where the original MBS is stored, reads it 
into memory, decrypts it, and returns control to the MBS, 
enabling booting to continue. If the fixed disk MBS is clean, 
the virus infects it, storing an encrypted copy of the original. 


‘Encryption’ is rather a grandiose description: in both 
versions, each byte in the sector is simply XOR-ed witha 
value of 2Eh. This may be an attempt to make disinfection 
more difficult, but will present no difficulty to a good 
detection/disinfection program. 


Once hooked, the virus intercepts requests to the disk access 
services. The infection routine is only called during 25% of 
read requests, making it slightly more difficult for the virus 
to replicate. Requests for read access to sector | or 2, head 0 
on fixed disks or head | on floppies are routed through a 
routine which completes the request and examines the sector 
to see whether it is infected. If it is, the original MBS is 
collected and decrypted before returning to the calling 
routine. Requests for write access to the same sectors are 
treated slightly differently: a request to write to sector | or 2 
of head 0 on a fixed disk is changed to a disk reset com- 
mand, preventing virus code from being overwritten. 


Infection 


Before attempting to infect the fixed disk, two checks are 
made. The first check is simply to prevent an attempt to 
infect an already infected disk. The second is more interest- 
ing: the virus appears to look for a specific type of boot 
sector (which may be part of an anti-virus package) and 
modifies its operations accordingly. 


This first test is made by searching for the value 9219h at 
offset 01 FAh in the MBS. If this is found, the infection 
routine is aborted. Should the first flag value not be found, 
the second is examined (see below). If it is not present, the 
virus writes a copy of its code to the MBS, and encrypts the 
existing MBS before writing it to an alternative sector 
(though always on Track 0). The position of this sector 
varies for different media: 


Head Sector 
360k floppy 1 3 
720k floppy 1 b) 
1.2M floppy 1 14 
1.44M floppy 1 14 
Fixed Disk 0 3 


On floppy disks, these positions represent the final sector of 
the root directory, and infection by the virus will destroy any 
file entries stored there. 


The function of the second flag is more interesting. If the 
MBS contains the value 6150h at offset 01 19h, the virus 
treats the second sector of the disk as if it were the MBS, 
writing the virus code to this sector. 


The flag value of 6150h can be interpreted as the ASCII 
letters ‘Pa’: this may be part of the word ‘Partition’ which 
often appears in MBS code. This check appears to be an 
attempt to bypass a boot protection mechanism. If sucha 
system is encountered, it is likely that infection will be 
unsuccessful, as the virus contains a serious bug which 
causes the machine to hang. 


Aliases: None known. 
Type: Master Boot Infector. 
Infection: Fixed and floppy disks. 


Self-recognition on Disk: 

Value 9219h at offset O1FAh. 
Self-recognition in Memory: 

None. 
Hex Pattern: (on Master Boot Sector or in memory) 


83F9 0373 3A3A 3475 3680 FCO2 
740E 80FC 0375 2C80 FA80 7227 


Intercepts: Int 13h Read and Write requests. 
Trigger: None found. 


Removal: — Disinfection possible using specially 


written software. 
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VIRUS ANALYSIS 2 


AR] : a Place in the Archives! 


Eugene Kaspersky, Vadim Bogdanov 


The main thrust of most virus writers’ work is the develop- 
ment of existing infection techniques. Optimization of virus 
code and the creation of elaborate new polymorphic algo- 
rithms are but a few of the ways in which the computer 
underground attempts to thwart scanner developers. Most 
new developments in the field are simply extensions of a 
well-known idea. For example, virus code might be inserted 
into the free space in an EXE header, rather than appended. 


Now and then, however, virus writers come up witha 
completely new idea. When this happens, anti-virus software 
manufacturers must decide whether or not to modify their 
products to deal with a new infection strategy. The ARJ- 
Virus represents one such turning point for the industry: it is 
capable of infecting files inside ARJ archives. 


Compress and Save 


ARJ-Virus is, in fact, more akin to a worm than to a stand- 
ard DOS virus. It is 5000 bytes long, and adds code to 
compressed ARJ files. These compressed files, when un- 
archived and executed, infect other archives. One would 
assume that the task of adding code to these compressed files 
would be extremely complex, which in turn would make the 
virus very large. However, ARJ-Virus was sent to me 
complete with a copy of its C source code. This is approxi- 
mately two hundred lines in length. How is it possible to do 
so much in such a short program? 


When an infected file is executed, it searches in the current 
and in all the parent directories for any files which have the 
extension ARJ. If an ARJ file is found, the virus creates a 
temporary file and the extension COM. The filename is 
generated by randomly choosing four letters from the range 
A to V. The choice is restricted because the upper limit for 
letters used by the virus is OFh: thus, the virus has a range of 
fifteen letters from which to choose. Examples of typical 
filenames generated by this routine are BHPL.COM, 
NLJJ.COM, and OKPD.COM. 


Once such a file is created, the virus copies itself into it, and 
appends arandom number of ‘garbage’ bytes. These Trojan 
files range in length from about 5K (the length of the virus 
code) to 64K, the maximum allowable size of a COM file. 


The virus then needs to add this file to the host archive. It 
does this in the easiest manner possible... by executing the 
archiving file, ARJ.EXE! This program allows users to 
compress and store one or more files (including subdirecto- 
ries) in one or several archive [Colloquially known as Arjive. 
Ed.] files in compressed format. ARJ is one of the most 
popular archivers, like PkWare’s PKZIP. 


ARJ.EXE is designed to be called from the command line, 
and therefore has a raft of commands and switches which 
can be set when it is executed. One of these, the ‘a’ switch, 
tells the program to add particular files to anamed ARJ file. 


The virus uses this option to infect the host ARJ file, 
executing the following command line: 


e:\command.com /c arj a <arj-file> <filename>.com 


where <arj-file> is the name of the archive file about to be 
infected, and <filename> is the four bytes-long, randomly 
selected name described above. The ‘/c’ switch causes 
COMMAND.COM to execute a program, and to exit 
immediately upon execution. 


“This new virus ... presents anew 
idea which could be developed 


into a real threat to certain 
approaches to virus protection” 





On execution of this command, the archiver ARJ.EXE 
compresses and adds this Trojan program to the archive file. 
The virus then deletes the temporary file and searches for the 
next ARJ file. If there are no other archive files in the current 
directory, the virus will jump to the parent directory. Should 
the current directory be the disk root directory, the virus 
returns to DOS. 


The Manual Virus 


The virus described above is, under certain circumstances, 
capable of spreading. The most important requirement 
necessary for ARJ-Virus to work is the presence of the 
ARJ.EXE archive utility. The virus author has assumed that 
where ARJ files exist, so should the archiver. 


Moreover, ARJ-Virus assumes that the archiving program is 
specified somewhere on the path. Though this would seem to 
limit the spread of the virus, it is likely that it is capable of 
replicating on a number of machines: if ARJ files are stored 
on a machine, it is probable that the archiving program is 
also present. Traditionally, this file would be located ina 
directory specified on the path, such as \BIN. 


Another factor which limits the spread of this virus is its 
requirement that the user execute the Trojan file contained in 
the archive. Examining the situation from a psychological 
point of view, it does seem probable that the file will be 
executed. When the file is unpacked and examined, its 
contents will be seen to contain an extra executable file with 
a strange name. What is it, and will the user give in to the 
instinctive urge to execute the file to see what it does? 
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One of several different things will happen at this point. 
Firstly, the user may simply ignore the file, or not even 
notice its existence. Should this be the case, the virus will 
not spread. Secondly, the user may examine the file, and try 
to gauge its function. In the absence of further information, 
the most likely result will be file execution. By relying on the 
user to help spread the virus, the author has made it difficult 
to use traditional methods for virus detection. 


As an experiment, I decided to ask ten people who work 
with computers every day what they would do if they 
unpacked an archive file and found that it contained an 
unknown COM file. 


About half of my test-set replied immediately, ‘Execute it!’. 
The others suggested that the contents of the file should be 
examined, and that if no further information came to light, it 
should be executed anyway! Not one of those whom I 
questioned suggested that the file should be scanned with 
anti-virus software before execution. 


Itis possible, after having read this description, that the 
reader will assume that this virus is less likely to spread than 
most common viruses. This, however, is not the case: most 
viruses rely on users executing infected files or leaving an 
infected disk in the disk drive - with care and attention it is 
possible to prevent almost all virus attacks. 


The Features 


One of the more unusual traits of the ARJ- Virus is its ability 
to infect the same file many times over. The virus, by its very 
nature, cannot easily determine whether an archive file is 
already infected. Checking the contents of an archive file for 
the presence of the virus is quite a task, given that the Trojan 
COM file will be of variable size and name. This does not 
matter: ARJ-Virus has the look of a demonstration that a 
new idea works, not that of a finished product. 


Although it contains no intentionally destructive code, the 
virus can still damage executable files under certain circum- 
stances. Sometimes the filename chosen by the virus is the 
same as a file already present within the archive. In this 
case, the virus overwrites the file already within the archive 
with the newly created Trojan file. 


The virus attempts to hide its presence by hooking Int 10h, 
the video interrupt. When the archive program is called, the 
virus simply installs its own Int 10h, which consists of an 
IRET instruction - i.e., all calls to the screen are ignored. If 
all goes well, and no errors are encountered, the infection 
process will be transparent to the user. 


Unfortunately, if either DOS or ARJ.EXE displays an error 
message during this process, things go awry. In the case of 
the virus attempting to infect a write-protected disk in the A: 
drive, the infection process will cause DOS to attempt to 
display the familiar ‘Write-protect’ error message and wait 
for a keystroke. The user will see only a blank screen, 
making it look as if the computer has crashed. 


The Problems? 


This virus raises new issues for anti-virus software develop- 
ers. One problem pertains to behaviour blockers: how can 
the monitor intercept the legitimate request to add a file to 
the archive? I see no easy answer. Should the TSR display a 
warning about an ARJ file opening, or when COM files are 
opened or executed? This cannot be a good idea. A behav- 
iour monitor would normally detect this virus when a new 
COM file is created. However, this is such acommon 
occurrence that most users would ignore the warning. 


The virus itself, once unpacked, is relatively easy to detect (it 
even contains the internal text string ‘*.arj ..0000.com /c arj 
ac:\command.com’ ). However, searching for the virus in 
infected ARJ files is much more difficult. 


How important is it that scanners should be able to detect 
archives infected with ARJ- Virus? How many different 
popular archive standards are in use in the IBM PC world? 
In order to add this function to anti-virus software, a great 
deal of development time, money, and EXE code bytes are 
required - a bill which would eventually be laid at the feet of 
the user. Scanners are already bulging from the steady influx 
of new viruses, and making them aware of many different 
compressed file formats will slow them down still further. 


ARJ-Virus is quite primitive, and not a great security threat 
to PCs. However, it presents a new idea which could be 
developed into a real threat to certain approaches to virus 
protection. The idea of virus encryption introduced in 
Cascade grew up to be the MtE and TPE. Let’s be ready. 


AR] -Virus 


Aliases: None known. 
Type: Non-resident Worm. 
Infection: Creates Trojan COM files inside 


archives compressed using AR] . 
Self-recognition on Files: 

None. 
Self-recognition in Memory: 

None necessary. 
Hex Pattern: 


558B EC83 C4EE E883 03B8 B614 
50E8 3E0B 50E8 450B 83C4 04B8 


The pattern in infected archive files 
depends on the version of ARJ archiver 
stored on the host machine. 


Intercepts: Int 10h to disable the screen output. 
Trigger: None. 


Delete Trojan COM files from disk and 
within archives. 


Removal: 
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FEATURE 


The Real Virus Problem 


J im Bates 


There has always been a pressing need for reliable informa- 
tion concerning computer virus activity in the real world: 
only by accurate assessment of the problem can an effective 
defence be created. Thanks mainly to the marketing efforts of 
the anti-virus industry around the world, the true extent of 
the problem has been efficiently concealed beneath aragbag 
of pseudo-scientific projections, surveys, reports, forecasts 
and speculations. Here I present the findings of a recent 
survey of UK computer programmers, conducted without any 
input from the software vendors. 


Vital Statistics 


The infamous Tippett Prediction appeared to forecast virus 
infections of galactic proportions by the end of this century. 
Since then, most of the information concerning virus 
prevalence has either been unabashed hyperbole and 
exaggeration designed primarily to frighten users into buying 
a particular anti-virus package, or simply gathered in sucha 
way as to invalidate the statistics. 


One of the biggest problems in this area is that, following 
the grossly overestimated predictions about Michelangelo 
prevalence, predictions from within the industry are seen to 
be self-serving at best. Many anti-virus companies experi- 
enced record sales in the scanning frenzy which preceded 
“Michelangelo Day’ in 1992, and ever since, the public has 
been understandably wary of industry-generated figures. 


Academic discussion of the pros and cons of rare and exotic 
virus techniques, coupled with the magpie collection 
complex displayed by vendors and researchers intent upon 
playing the numbers game, may be very stimulating. Such 





(a) 280 





Breakdown of virus type: (a) Never had a virus. (b) Had a boot 
sector virus. (c) Unsure of virus type (d) Had a parasitic virus (e) 
Had both boot sector and parasitic viruses. 











counting, however, bears little direct relevance to the 
problems faced by computer users. Similarly irresponsible 
attitudes to virus writers themselves encourage a whole 
group of prospective ‘researchers’ to think it perfectly 
acceptable to write viruses for ‘research purposes’ and then 
pass them on to others, to swell their collections. 


Those researchers genuinely concerned with helping users 
have had to rely upon verified reports of virus infections 
coming in through their own channels, as well as upon 
occasional statistics produced by other trusted organisations 
such as the Police. Until now, this is all they have had to 
enable them to evaluate the extent of the problem. We may, 
however, be seeing the beginning of a new trend, with the 
publication of the results of a survey conducted by the 
Institution of Analysts and Programmers (IAP). This 
organisation is dedicated to the promotion of excellence 
amongst computer professionals, and their survey represents 
the first truly independent attempt which I have seen to 
evaluate the real extent of the virus problem. 


Setting the Scene 


Several fascinating revelations from the results of the survey 
confirm the reliability of the approach adopted by responsi- 
ble researchers in the UK. First, existing figures seem to 
indicate that under 2% of known viruses are actually at large 
and causing problems for real computer users. Second, it 
appears that there is a slight preponderance of boot sector 
over parasitic viruses, despite the fact that parasitic types 
form the vast majority of most collections. Finally, itis 
thought that most of the real problems arise from a handful 
of aged viruses (old, that is, when compared to the age of the 
virus problem). 


The JAP survey consisted of a simple questionnaire sent out 
to around 2,500 members (mainly in the UK) and 521 (circa 
20%) were returned. I understand that this is a better than 
average response to such things. The figures which follow 
include approximate percentages, in order to give an idea of 
just where changes are occurring in this field. 


In the Wild 


Of those replying, 280 (54%) reported no virus incidents. 
When asked how long ago the infection occurred, the 
remaining 241 were split 166 to 75 (69% to 31%) - the 
larger group indicating infection within the past year. 


The survey then went on to determine which types of virus 
had been noted. Here, 81 (34%) definitely identified boot 
sector viruses only, 56 (23%) said parasitic viruses only, 41 
(17%) experienced both types, and the remaining 63 (26%) 
did not know what type of virus had infected their computer. 
There were eight different boot sector viruses and 14 
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different parasitic varieties reported, so even if the 63 people 
who were unsure of the type all had different viruses 
(extremely unlikely), well under 100 different viruses would 
have been reported at large. This seems to confirm the 
current suggestion of approximately 40 to 45 common 
viruses causing almost all real-world problems. 


A further breakdown of the virus types indicated that just 
five viruses accounted for around 93% of all boot sector 
infections (Form 38%, New Zealand 31%, Michelangelo 
9%, Tequila 8%, Spanish Telecom 8%) whilst another four 
viruses caused around 65% of parasitic infections (Cascade 
26%, Jerusalem 17%, Yankee Doodle 11%, Dark Avenger 
11%). Thus the overall picture shows that of the 234 people 
who were able to identify the virus, 188 (80%) had been hit 
by one of just nine viruses. 


This again tallies with most observed data from other 
sources, and is a far cry from the threat of ‘thousands of 
viruses’ which some vendors claim are in the wild. 


“It would seem from this that an 


anti-virus policy alone is no real 
defence against the threat.” 





Changing Times 


The survey revealed some interesting variations on the point 
at which infections were noted, and additional analysis was 
made of this. The most common virus reported from more 
than one year ago was Tequila (31 instances) followed by 
Cascade (14 reports), New Zealand (11) and Form (10). 
Since there were 100 reports within this time frame, these 
figures also represent percentages. The results for the past 
year show dramatic changes. The most common virus now is 
Form with 41 reports (21%), followed by New Zealand with 
31 (16%) and Spanish Telecom with 11 (6%). 


As well as obtaining these figures for actual virus infections, 
users were also asked how those affected had dealt with the 
problem. The response showed that over 82% had used 
proprietary anti-virus software, while around 14% had dealt 
with the problem in-house. Just 3% had contacted an outside 
consultant for further help. 


Another series of questions asked how users handled the 
threat of virus infection. Rather surprisingly, 41% had an 
anti-virus policy and had been hit, 41% had no policy and 
had been hit, 13% had no policy and had not been hit, and 
the remaining 5% had an anti-virus policy and had not been 
hit. It would seem from this that an anti-virus policy alone is 
no real defence against the threat. The type of anti-virus 
measures which users implement were analysed as follows: 
10% banned incoming software, 25% had some form of 
quarantine arrangement, 30% maintained control of software 
sources and 27% conducted regular software audits. 


Helping with Enquiries 


A final question concerned the reporting of virus attacks. 
This contained the biggest surprise - fewer than 6% of the 
respondents actually reported the incident to the police! 


These figures certainly confirm that a virus problem does 
exist, since nearly half of all respondents had experienced an 
attack. However, the extent of the problem indicates that the 
level of user awareness, at least in the UK, has contained the 
problem within far narrower limits than those suggested by 
many vendors of anti-virus software. 


All the viruses reported are relatively simple ones; there is a 
distinct absence of the more exotic types beloved of the 
academic researchers and virus collectors (Commander 
Bomber, Starship, DIR II, Tremor and so on). It seems that 
the presence or absence of an anti-virus policy has little 
effect in preventing infections. This can only be due to poor 
implementation and user education: a well designed virus 
defecne will prevent infection. 


I was most disappointed to read just how few people report 
the problem to the police, as this has been a major source of 
statistical information on virus prevalence for some time 
now. However small their sample may have been, its 
usefulness is amply demonstrated by the similarity of the 
IAP survey. I would urge all users to reconsider any policy 
which prevents reporting virus outbreaks. 


Each report is treated in the strictest confidence and provides 
the only possibility of bringing the perpetrators to book. If 
you need further information, call the Computer Crime Unit 
at New Scotland Yard on +44 (0)71 230 1177. 


Iam particularly indebted to Michael Ryan, Director General 
of The Institution of Analysts and Programmers 

(+44 (0)81 567 2118), for allowing me access to these 
figures and analyses. 








Form 51 








New Zealand Il 42 | 





Tequila 39 





Cascade 24 | 





J erusalem 17 | 





Michelangelo 12 








Spanish Telecom 11 








Dark Avenger 10 





Yankee 10 














UK’s ‘Most unwanted? list: The top nine viruses account for 80% 
ofall virus outbreaks among those polled. 
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PRODUCT REVIEW 1 


The ASP Integrity Toolkit 


Mark Hamilton 


The ASP Integrity Toolkit was first reviewed in VB by Dr 
Keith Jackson in June 1992. It was distributed by a Danish 
company, Sikkerheds Radgiverne (SR), who acquired sole 
worldwide distribution rights in January 1993. I was 
therefore particularly interested to see whether the product 
had since improved. 


The Package and Documentation 


The product claims to provide an ‘Integrity Shell’ within 
which only validated programs can be executed. The 
Integrity Toolkit offers the user access control, file check- 
summing and verification, boot sector protection anda 
choice of two virus scanners (see below) to ensure that the 
system is virus-free before installation. This list is by no 
means exhaustive: the product attempts to provide a compre- 
hensive solution to computer viruses in one package. 


Integrity Toolkit consists of two manuals and one high- 
density 3.5-inch diskette. Unfortunately, not all computers 
can accept this media type, a point made in our previous 
review of the product, and one apparently ignored by the 
vendors. Also included was a letter, some of whose contents 
concerned me: ‘I must stress that the installation process 
described in the manual must be followed to the letter.” Why 
is this so vital? 


The manuals appear little changed since the author, Dr Fred 
Cohen, first penned them in 1991. One is an A5 book over 
90 pages long, entitled simply, ‘The ASP Integrity Toolkit : 
it serves as user documentation. The other, a slim A4 
booklet, contains details on how a technically proficient user 
might tailor the Integrity Toolkit to meet his needs. It is 
much more technical in content, and clearly not designed as 
a light read. 


Whilst the product’s underlying kernel is written in a 
mixture of assembly language and C, a LISP interpreter is 
used to configure the Integrity Toolkit’s operation. LISP is 
not a popular language - certainly, in the computer depart- 
ments of large corporates, skills in Visual Basic, C, FoxPro 
and the Windows and OS/2 APIs are far more common. 


Are we Compatible? 


One of the caveats mentioned in the very brief installation 
instructions refers to setting up on a PC where a memory 
manager is running. Almost all PCs have some sort of 
memory management software; these users are referred to 
the System Administrator’s manual, which appears later in 
the AS book. Finding this section was not easy: the index 
and the table of contents are particularly unhelpful. 


The manual stresses that the Integrity Toolkit should work 
with most memory managers, but does indicate a potential 
problem - if the user is running a memory manager, he is 
warned that installing BootLock may fail, causing the PC to 
lock up. The documentation states: ‘If default installation 
fails, there is achance you will have to use the recovery 
techniques listed earlier to regain access to your system.’ 


The BootLock componentof the software actually encrypts 
the Partition Table - this is not a viable option for users with 
dual or multiple boot machines using the Boot Managers 
that come with OS/2 or Windows NT, as it negates access 
under anon MS-DOS operating system. These changes take 
place without an explicit warning to the user, which could 
cause afew worrying moments. The documentation should 
be altered to explain this process more thoroughly. 











Default installation provides coverage appropriate to an average 
small to medium sized business. It assumes that you have : 


NO memory manager, 
NO network, 
NO disk cache, 


or other similar program operating. 


It provides a moderate amount of protection against viruses and 
operating system modifications, while no access control features are 
implemented. Thus protection against DIRECT attack is NOT active, in the 
default setup, as it is usually company policy which sets the do’s and 
dont’s in this. 

If you select not to use the default installation, you will be 
provided with menus and asked to select your installation requirements. 
Each menu consists of a set of options which can be turned on or off by 
selecting the menu item of interest. Please refer to the IT reference 
manual for details about these menu selections. 











Shall I use the default installation?[y/n]: 





If default installation is not used, the user must refer to the System 
Administrator’ s manual. 





Installation 


Keeping in mind the warnings about compatibility, I began 
the installation procedure, which opens with a request fora 
registration number, an expiration date and a registration 
code. When I received the package, a note of the registration 
number was not included; I merely pressed carriage return 
and entered the registration code and expiry dates - a 
decision I would later regret (see below). 


Menu Integrity Tool (MIT) is the program used to install the 
product. When executed, this proceeded to scan the hard 
drive with F-Prot, and install the components into the ASP 
directory created on drive C. This directory contained 148 
files, and used almost a megabyte of disk space. 


This initial scan is the only time F-Prot appears to be used in 
the Integrity Toolkit. | was informed by SR that it is not 
necessary to use this or any other scanner once the /ntegrity 
Toolkit is installed - a stance which, while factually accurate, 
does not reflect the way in which the product is likely to be 
used. If new programs are to be added to the hard drive, they 
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should be scanned before use. Unless one intends never to 
upgrade the software on the protected PC, a scanneris 
useful, though only for incoming disks. 


When MIT had finished installing the program, I rebooted 
the PC, and the Integrity Toolkitimmediately checked the 
boot sectors and executable files, comparing checksums to 
values stored in the database created on installation. It then 
displayed a ‘Logged in’ message. To accomplish this, it had 
modified my CONFIG.SYS file and, without alerting me 
first, had inserted the statement 


SHELL=\ASP\ASPLOGIN.EXE \ASP\LOGARGS.ASP 


This instruction means that the program ASPLOGIN.EXE 
program is executed before loading the command interpreter 
(usually COMMAND.COM). The original shell specifica- 
tion is stored in the file LOGARGS.ASP, so those machines 
which use a replacement COMMAND.COM should still 
function correctly with the Integrity Toolkitinstalled. 


The Menu Integrity Tool 


The manual states that the product is normally used in one of 
two ways. The first of these lets the user implement features 
automatically installed at system bootup; the second gives 
more rights to System Administrators (primarily through use 
of the ‘Menu Integrity Tool’). 


So far, in the words of the manual, I am a user. I decided to 
be the System Administrator of my own machine, which 
seemed to me a reasonable choice. Iran MIT, and was 
informed that the program had not been registered. As I had 
done before, I then typed carriage return to the registered 
number prompt once again, and re-entered the registration 
code and the expiry date. It had worked before, should it not 
work again? I was mistaken. 


At that point a call to Denmark was necessary to obtain the 
necessary number. Once this had been done, I was able to 
gain access to the MIT program by providing the registration 
details required. In defence of Sikkerheds Radgiverne, 
installation is nearly always carried out by its own staff 
(indeed, there is a warning in the manual that this should be 
the case), so such problems should not occur. However, the 
unnecessary complexity would certainly put me off installing 
the product on new machines which I added to a system. 


The Integrity Tookit provides protection by ensuring that 
only uninfected, authorised programs are allowed to execute. 
Each program is verified by checking its contents against a 
checksum. It was at this point that the vast number of 
options offered became confusing rather than useful. 


The checksums can be either sequentially stored or hashed, 
the latter being faster but using more disk space. The choices 
range from Big/Hashed/Slow through Small/Hashed/Fast to 
Sequential/Trivial. The differences in the various storage 
methods are inadequately explained in the manual, which 
gives no suggestion as to which type would suit each 
individual user. On-screen help is also woefully lacking: the 


hint bar at the bottom of the screen, when selecting the 
option, tersely states ‘No help available’. Indeed, I found 
reference to the previous VB review of this product, by Dr 
Keith Jackson, to be more useful than the manual provided 
by the manufacturer! 


If none of the algorithms offered by the product are suitable 
for the user, it is also possible to nominate an external 
routine. The built-in checksumming methods should suit 
most users, although all the routines are proprietary, and 
conform neither with ANS/ nor /SO standards. 


In Use 


Inits default configuration, all executable files are checked 
at boot time, along with key areas such as the boot sectors 
and the interrupt vector table. Using the Big/Hashed/Slow 
method, bootup time on the 25MHz 486sx notebook I used 
for testing this product was lengthened by ten seconds - not 
an unacceptable overhead. 


Other overheads were similarly encouraging. Using even the 
slowest checksumming technique on offer, I noticed only a 
very slight increase in the time taken to load and execute 
programs. If an attempt is made to run a program not yet 
registered in its integrity database, the user is alerted and 
asked if its checksum should be determined and stored. If the 
answer is negative, the program is simply not run. 


If the Integrity Toolkit detects alterations to the boot sector, 
the user is alerted - however, no disinfection is offered. This 
feature worked in my tests, although each time I had to run 
software from other vendors to disinfect my system before 
the Integrity Toolkit would allow me to boot from the fixed 
disk. Anexcellent result. 


Access all Areas 


One of the many different features offered by Integrity 
Toolkit is access control. If the program is configured so that 
this is implemented, certain decisions must be made by the 
user. For example, three different types of access control are 
available; Two Type, POSet, and Milspec: adding the Two 
Type method (a two-password system; one with limited user 
rights, one with more access control, for the System Admin- 
istrator) will lock the root directory of the computer. Locking 
the root directory, while providing a high level of security, 
prevents creating, editing or deleting any file or directory 
entry in the root. 


This means that a user without Supervisory rights cannot 
install new software. This is an extremely useful prophylac- 
tic against a number of different IT threats, especially the use 
of pirated software and games. 


Due to the way in which PC access control is viewed, this 
option is likely to be used only in companies with their own 
dedicated IT departments. This is a shame, as there are many 
computing environments which could benefit from the 
features this option provides. 
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The Scanner 


As previously stated, two scanners are included with this 
product, Fridrik Skulason’s F-Prot, and Fred Cohen’s 

SCAN. The former is an integral part of the Integrity Toolkit, 
but used at no other time than installation, to pre-scan the 
hard drive. This, to my mind, is a serious error: when an 
attempt is made to execute a program not yet in the product’s 
integrity database, that program should first be scanned for 
viruses. It would be advisable to pre-scan files before 
including them in the integrity database. 


The Integrity Toolkit does not do this; consequently, it is 
possible to include virus-infected executables. As matters 
stand, it would be all too easy for the Integrity Toolkit to be 
targeted by a virus which would delete its database. For this 
reason, the use of a good scanner which can check incoming 
executables is vital. 


The effects of executing infected executables can be (and are) 
detected, but the daunting task of identifying which file is 
the cause of the problem still remains - the manual does not 
tell the user that there is a more than adequate scanner 
included (F-Prot). 


MIT 3.7.9 — Copyright(C) 1986-92 ASP — All Rights Reserved 


sPlit install 


heck programs for change at load time 


Integrity Toolkit is one of the most option-rich programs Ihave ever 
come across. However, the developers need to spend more time 
explaining the pros and cons of each choice for this to be of use. 





Fred Cohen has written and documented a scanner for the 
product, called SCAN: it appears, however, to be fearfully 
out of date (the latest file date being December 1992), and 
only claims to be able to detect “common viruses’ (whatever 
those are). When run against the current Virus Bulletin In 
the Wild test-set, SCAN identified fewer than 30 out of the 
126 samples as infected. Obviously SCAN is no longer being 
developed, and should be dropped from the product. 


When referring to SCAN, the manual does affirm that ‘the 
Monitor mode of operation is far more effective and less 
expensive than the SCAN mode of operation’. Unfortunately, 
it is nowhere explained either what Monitor is, nor how it 
might operate. It is possible that this is somehow a cryptic 
reference to F-Prot. If so, the manual needs to be updated to 
make this clear. 
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Version 2.09f of F-Prot (issued September 1993) was that 
supplied with the /ntegrity Toolkit: it found all viruses in 
both the Virus Bulletin In The Wild and Standard test-sets. It 
scanned 1,393 files (58.0 Megabytes) in 78 seconds, in 
secure scanning mode, and on the test machine approxi- 
mately 761 Kbytes/sec. 


Conclusion 


This is animmensely complex product, and a complete 
review of its many features would fill far more space than 
the three pages available. It must be said that in its current 
incarnation, the Integrity Toolkitis not user-friendly. This 
should change when SR releases its new version, with CUA- 
compliant character-mode user interface and (one hopes) 
context-sensitive on-line help. As it stands, MIT does not 
support a mouse, and on-line help is simply a one-liner at the 
bottom of the screen - occasionally, even this states, tersely, 
‘No help available’. 


Quibbles aside, the product’s integrity shell is excellent and 
will detect executable file modifications, but users should be 
aware that there are still a number of programs which quite 
legitimately modify themselves: these cause problems with 
all such generic checksumming programs. 


Ihave spent a great deal of time thinking about how to 
conclude this review. ASP Integrity Toolkit works and will, 
without doubt, provide an excellent way of managing a 
reasonably-sized IT system. However, the presentation of the 
package needs to be improved, and the compatibility issues 
solved. In its current form, the problems seem to outweigh 
the benefits: by design Integrity Toolkitis very restrictive. 


Sikkerheds Radgiverne informs me that the product is being 
completely revamped, the documentation simplified and 
some of the more esoteric functions removed. If this is done 
successfully, there is no doubt that the product will be much 
improved, and certainly worth considering for sites whose 
PCs require a high level of protection. 


One final note - when this product was last reviewed, some 
eighteen months ago, the quoted unit price was $89.00: 
although this has now increased by some 300%, the product 
itself has barely changed. 





Technical Details 
Product: ASP Integrity Toolkit 
Version Evaluated: 3.7.9 


Vendor: Sikkerheds Radgiverne, Knabrostraede 20, Copenhagen, 
DK-1210. Tel: +45 3332 3537 Fax: +45 3332 3547 


Serial Number: None visible. 
Unit Price: Dk Kr 1,895.00 (Circa UK £190 or US $290) 


Hardware Used: SIR 486 Sub-Note with 1 10 Megabyte hard drive 
and 4 Mb RAM, a25 MHz 486sx processor and a single high- 
density floppy disk drive. 


For details of the test-sets used here, refer to: 
"1 Standard test-set: VB May 1992, page 23 
1 ‘Tn the Wild’ test-set: VB January 1993, page 12 











VIRUS BULLETIN ©1993 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, 0X14 3YS, England. Tel +44 (0)235 555139. /90/$0.00+2.50 
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers. 


20 VIRUS BULLETIN DECEMBER 1993 


PRODUCT REVIEW 2 


Discovering PC-cillin 
Dr Keith J ackson 


Virus Bulletin last examined PC-cillin from Trend Micro 
Devices over two years ago. In that last review, Mark 
Hamilton was less than enamoured of the product, and 
dourly concluded that ‘there is little, if anything, about this 
product to commend it’. Have things improved? 


Baubles, Bangles and Boxes... 


PC-cillin is supplied as an ‘Immunizer Box’ (a small piece 
of hardware with 25-way D-type sockets on either end), an 
AS manual, various pieces of bumph, and both 3.5-inch and 
5.25-inch floppy disks. The Immunizer Box is mentioned 
neither in the Installation chapter nor in the index of the 
manual; the README file is also silent on the matter. I had 
to dig around elsewhere in the manual to learn that it should 
be attached to a parallel port. 


This information is vital: PC hardware design is such that 
serial ports, with male sockets, and parallel ports, with 
female sockets, both use 25-way D-type connectors. Thus, it 
is possible to insert the Immunizer Box incorrectly into an 
RS-232 serial port. Given the higher voltages used by RS- 
232 signals, this may cause damage to the PC or to the 
Immunizer Box. As I value my test machine, I did not test 
the verity (or otherwise) of this! 


Documentation 


Probably the biggest problems encountered withPC-cillin 
concern the manual, which appears to have been written 
with a different product in mind. It has not been revised for 
this version of the software, and even worse, no explanation 
has been added to the README file. The many flaws are 
doubly disappointing, as much of the discussion of anti-virus 
strategy is well written, and will make sense to most readers. 


Several features touted in the manual, such as scanning files 
before execution, and disinfecting Mutation Engine infected 
files, are available from v4. However, the latest version of 
the software is v3.65, and the manual shows pictures of 
screens taken from v3.3 and v3.6. What has happened to v4? 
Why reference future versions? The documentationis 
confusing and confused, is virtually bereft of technical detail, 
describes ‘Real Soon Now’ features, and resorts to meaning- 
less marketing nomenclature. In short, it is a mess. 


The manual is prone to using silly names, and to depicting 
viruses with drawings resembling ink-blots [or are they ink- 
blots which resemble viruses? Ed.]. Disinfection of Muta- 
tion Engine infected files is called ‘Mutie Clean’ (on which 
the developers claim trademark), and the characteristics of 
their scanner are denoted by the phrase ‘Deep Scan’. 


I would argue that some of the claims made in the documen- 
tation are not fulfilled: PC-cillin purports to be the only 
product to disinfect MtE-infected files. Apart from the fact 
that this is patently untrue (several products can do this), the 
version of PC-cillin reviewed cannot even detect MtE- 
infected files, let alone disinfect them. 


Installation 


Once the Immunizer Box was correctly installed, the manual 
instructed me to type PCCILLIN. This produced a “Bad 
command or file name’ error, as no executable file of this 
name existed on the floppy disk. Through a process of 
elimination, I eventually deduced that a file called PCC 
started installation. It is totally unacceptable that the name of 
the installation program given in the manual is incorrect. 


Having completed the testing, I noticed in the extra bumph 
that users are advised to boot from the installation floppy 
disk to install. When I tried this, the naming problems 
described above were circumvented. This is not mentioned in 
the manual. The README file, which provides late addi- 
tions to the manual, instructs users to boot from the floppy if 
upgrading, but mentions nothing about installation. 


Iam uncertain whether providing a boot disk for installation 
is a good idea or not. It requires the developer of the boot 
disk to solve all the problems of hardware compatibility 
normally tackled by Microsoft and the various OEM 
developers. What happens to compressed drives? The 
manual deals with none of these issues. 


Finally, after booting from the installation disk, the user is 
asked to enter the name of the drive on which PC-cillin is to 
be installed. There is, however, no choice about the subdirec- 
tory. This is poor - it is my hard drive, and I should be 
allowed to put the files where I want to. 

















Low Level Disk 1/0 Control. ..... 












Boot Security. .........4. 


Abnormal Memory Resident... .. .. “lps 
° 
Abnormal File Open/Creation. .. .. ole 


° 

Partition/Boot Sector Write Protect. ole 

Floppy Disk Boot Virus Check. .. .. 

Continue Operation Option. ..... | 
C <- 1] Turn on —[ -> 1] Turn off 

PC-cillin provides anumber of different options in order to give 


enhanced protection on machines - however, lack of attention to 
detail lets the product down. 
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During installation, PC-cillin scans for known viruses, first 
in memory, then on the hard disk. Next, the boot sector and 
partition table information is stored in the Immunizer Box. I 
later found that PC-cillin had added lines to the start of the 
AUTOEXEC.BAT file, which installed amemory-resident 
program called Virus Trap. This occupied 14.2 Kbytes of 
RAM, areasonably-sized chunk. For reasons which are 
beyond me, the installation program changed the date/time 
stamp on the CONFIG.SYS file, even though nothing in this 
file was altered. 


The manual states that Virus Trap can be disabled after 
installation by removing the line which calls a program 
entitled PCCSTSR from the file AUTOEXEC.BAT: no such 
line exists. It also states that the AUTOEXEC.BAT file will 
be backed up, either to AUTOEXEC.$$$, or to AUTO- 
EXEC. @ @ @. In fact, it is backed up to AUTOEXEC.PCC. 
After installation onto the hard disk is complete, the manual 
states that PC-cillin requires 110 Kbytes of disk space, and 
the README file says 360 Kbytes are required. Neither is 
correct. Itoccupied 449 Kbytes. 


Tencountered other problems during installation: for 
example, the manual states that the installation program will 
ask for a floppy disk as a Rescue Disk to ‘store a copy of 
your hard disk partition table’. It did not. The entire installa- 
tion procedure hardly inspires confidence in the product. 


Modus Operandi 


With the product installed, my PC now has a small, single 
character, ‘smiling face’ (their phrase) blinking in the top 
right corner of the screen, which I personally find very 
irritating. Good anti-virus software should be completely 
unobtrusive. It is impossible to choose which character is 
displayed, but the feature can (thank goodness) be disabled. 


In addition to amemory-resident anti-virus program, there is 
ascanner, called ‘Quarantine’. When executed, PC-cillin 
scans memory before the first file scan is invoked. This takes 
55 seconds. During this process, a counter zooms up to 562 
Kbytes, and then clocks up very slowly to 640 Kbytes. Iam 
not sure if this means that only the top part of memory is 
being scanned; such details are not in the documentation. 


By default, scanning (I refuse to call it Quarantine) inspects 
all executable files, but this selection can be overridden. The 
scanner seems to accept only a single DOS wild-card 
expression; therefore it is possible to scan for all COM files, 
or for all EXE files, but not for both. If the scanner is 
executed from the command line, more than one file expres- 
sion can then be named, but this merely invokes the scan- 
ning process twice. Not what is actually needed, I fear. 


PC-cillin scanned the hard disk of my Toshiba 3 100SX (see 
the Technical Details section) in 3 minutes, 1 second when 
scanning all files, 1 minute, 34 seconds when scanning all 
EXE files, and 47 seconds when scanning all COM files. In 
comparison, Dr Solomon’s Anti-Virus Toolkitscanned the 
same hard disk in 39 seconds. Sophos’ Sweep took 1 minute, 
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35 seconds in Quick mode (6 minutes, 7 seconds in full 
mode). The scanning speed offered by PC-cillin is not 
unreasonable, but it is by no means one of the fastest 
products, as claimed in the manual. 


The scanner has some annoying foibles. It is possible to 
interrupt execution whilst scanning files on a disk, but not to 
interrupt the initial scan of memory. The Volume Name of 
the hard disk being scanned is always omitted from the 
appropriate field of the Report File, but curiously the 
Volume Serial Number is included. The scanner also insists 
that the Report File is written to the disk being scanned, a 
tactic as incomprehensible as it is annoying. 


The Viruses 


I tested PC-cillin against the virus test samples listed in the 
Technical Details section below. The software claims to 
detect 1467 unique viruses, but the manual says there are 
2600 ‘known viruses and strains as of June 1993’. Of the 
non-Mutation Engine samples, PC-cillin correctly detected 
all but five. None of the 1024 MtE samples were detected. 
Careful inspection of the manual discloses that disinfection 
of MtE samples is promised with version 4 of PC-cillin 
(remember that this review covers v3.65): perhaps MtE 
detection will also be included at this time. The first chapter 
of the manual states that ‘Trend’s approach to virus protec- 
tion is not compromised by the existence of today’s mutation 
(polymorphic) viruses’. This courageous claim is wrecked by 
the 0% detection rate. 


“T have ploughed my way through 
more than 50 reviews for VB since 


its inception, and PC-cillin feels 
like a gigantic leap backwards.” 





The five viruses not detected (Pitch, Power Pump, Todor, 
Tremor and WinVir_14) were all from the most recent 
addition to the test-set (a few months ago). Given that PC- 
cillin describes at some length that its scanner is ‘rule-based’ 
(their phrase), I surmise that each virus is analysed by the 
developers, in order to discover its method of operation, and 
the scanner amended as appropriate. Therefore, keeping up 
with the latest viruses is onerous and time-consuming. 


PC-cillin always detected infection, but frequently (13% of 
the time) found a different virus from that actually present in 
the test sample. This may be a side-effect of using rules, 
rather than signatures, to detect viruses. 


The Virus Trap 


The manual makes many claims about Virus Trap which, 
even allowing for features which will only be available from 
version 4 (see above), does not seem to work properly. The 
feature defined in the manual as ‘Abnormal File Open/ 
Creation Detection’ claims that it “Warns of programs that 
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open themselves’. This is not true. Even with protection 
active, Sidekick could still edit its own executable file 
(SK.COM). Similarly, Wordstar could be used to edit 
WS.EXE, and my ancient address book program, which 
maintains names and address within its own executable 
image, could be updated ad infinitum. 


Also, the feature described as ‘Abnormal Memory Resident 
Program Detection’ was happy for both Sidekick and 
Manifest to become memory-resident, although Sidekickis 
notorious for doing abnormal things to various interrupt 
vectors, and Manifest does acomplete low-level examination 
of the system. What is abnormal? This adjective is never 
defined in the documentation. 


Other features of Virus Trap include monitoring and 
inspection of the boot sector of both floppy and hard disks, 
and monitoring of ‘Low Level I/O’ (whatever that means: it 
is not explained). I tested the impact on performance 
imposed by Virus Trap by measuring the time taken to copy 
35 smallish files (1.2 Mbytes). Without PC-cillin, these files 
could be copied under DOS in 24.4 seconds: with Virus 
Trap installed, it increased to 44.3 seconds. Under Windows 
these two figures were 25.0 seconds and 47.2 seconds 
respectively. Using either set of measurements, this corre- 
sponds to an imposed overhead of over 80%. 


The scanner operated correctly under Windows, although itis 
only a program executing in a DOS box. All measured 
scanning times increase by about ten percent under Win- 
dows; acreditable performance. Virus Trap also works under 
Windows, though it needs a special program to be executed 
before it can make its error messages pop up. 


Problems in Reviewing 


PC-cillinhas been reviewed before by VB (July 1991), and 
the reviewer (not myself) had problems getting it to work 
properly. [have ploughed my way through more than 50 
reviews for VB since its inception, and this feels like a 
gigantic leap backwards. First, the general standard of the 
documentation provided with anti-virus products over the 
past few years has improved dramatically. PC-cillin’s 
documentation has not kept up. 


Second, PC-cillinis dongled: although the only stated 
function of the ‘Immunizer Box’ is to store boot sector 
information securely, PC-cillin will not run without it. More 
sensible products include such features by writing files to 
floppy disk. PC-cillin could do the same, but chooses to use 
a dongle, and forces the user to attach this extra hardware to 
the parallel port (otherwise PC-cillin will not install, and 
Virus Trap will not execute). Still worse, unlike data stored 
on floppy disk, information held within the dongle cannot be 
securely backed up. What happens if the hardware fails? 


The last review concluded that the dongle was unnecessary. I 
too see no reason for it, apart from the unstated purpose of 
copy protection. The developers seem to know this: they had 
a similar product called PC Rx, which was not dongled, 


reviewed by VB (October 1992, p.21). Re-reading the PC Rx 
review, the screens are very similar to those produced by PC- 
cillin, and the products seem to have much in common. 


For testing purposes, I installed PC-cillin on two computers. 
If [cannot remember correctly on which computer the dongle 
was last used, what happens if I accidentally restore errone- 
ous boot sector information? I could go on, but these 
questions make my point succinctly. The dongle adds no 
capability not achievable by ‘normal’ means, and can 
introduce problems ranging from a nuisance to something 
little short of a disaster. 


In Conclusion 


Were the list of problems described in this review all fixed, I 
still would not recommend use of this product until the 
developers have publicly stated that their ‘Immunizer Box’ 
hardware has been ditched. In fact, had I known from the 
start that the ‘Immunizer Box’ was a dongle, I would have 
insisted that VB stick to its policy of refusing to review copy- 
protected software. 


PC-cillin detects viruses well, but shows signs of being 
somewhat slower than other products at being updated; its 
detection problems were entirely with the most recently 
introduced virus test samples. The myriad problems with the 
documentation are explained earlier in the review. Inmy 
humble opinion there is no short-cut: the manual needs 
rewriting. Until this has been done, and PC-cillin has been 
de-dongled, I would not recommend its use under any 
circumstances whatsoever. 
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CONFERENCE REPORT 


Predictable but Worthwhile 


Early in November, Virus Bulletin fled the frosts of England 
for two days and went to Anaheim, California, where the 
Computer Security Institute was holding its 20th annual 
conference and exhibition. 


Anaheim is part of the overall sprawl of southern Los 
Angeles, bristling with palm trees and theme parks. In the 
Hilton and Towers, opposite ageing Disneyland, several 
hundred delegates, speakers and exhibitors gathered for what 
has become the leading computer security conference in the 
United States. 


Agenda Details 


The conference programme, with twelve simultaneous 
streams, was both ambitious and comprehensive, and 
covered a wealth of topics, including: 


¢ Introduction to Computer Security 
¢ The Next Step [? Ed. ] 

¢ LAN Security 

¢ Management 

e Awareness 

* Open Systems 

¢ Telecommunications 

¢ Contingency Planning 

¢ Micros and Portables 

¢ Tools and Techniques 

e Audit and Risk Assessment 
¢ Product Specific 


Only four of the 115 main conference sessions were con- 
cerned specifically with viruses. The first, from Noah Groth, 
of PC Guardian, gave an introduction to computer viruses, 
pointing out the importance of straightforward measures 
such as backups and employee awareness as aids in reducing 
the threat of a virus attack and limiting potential damage. 


John Blackley, of Guaranty Federal Bank, shared his 
experience of creating and implementing a virus response 
team - this included everyday practicalities, such as choice of 
anti-virus software, methods of distribution, and ways of 
keeping it up to date. 


Genevieve Burns, of Monsanto Company, gave an account 
of her strategy for developing a virus awareness campaign 
for a large company. Her talk covered both technical and 
business issues. 


Finally, Dr Peter Lammer, of Sophos, gave a presentation on 
virus protection for PC LANs, in which he discussed 
technical aspects of virus spread and stealth behaviour in 
network environments, and explained the industry’s move 
over the past 18 months to server-based scanning. 


Other sessions, while not specifically virus-related, neverthe- 
less addressed matters germane to the subject. Dan Erwin, of 
Dow Chemical, for example, gave a talk entitled ‘Horror 
Stories and How to Use Them’, applying a variety of 
management models to the problems of IT security. 








Roger Thompson, from Leprechaun Software, discussing the pros 
and cons of anti-virus software with Hector Aguilar, of the 
Deutsche Treuhandgesellschaft. 








The Exhibitors 


The anti-virus industry was represented slightly more 
strongly in the exhibition than in the conference; of a total of 
one hundred or so companies, those showing anti-virus 
products included Command Software, Leprechaun, Reflex, 
Digital Equipment Corporation/ Sophos, McAfee, Syman- 
tec and Trend. 


No major surprises were found here; life seems to continue 
much as usual. However, there appears to be more focus on 
server-based anti-virus software, with the apparently never- 
ending scanner race still the industry’s bread and butter. 


Closing Thoughts 


CSTis one of the main computer security events of the year, 
and for this reason alone it is worth attending. The confer- 
ence itself is primarily an educational event rather than a 
research forum - this means that delegates who have 
attended before can expect a familiar programme. 


This is not to say that the event was without entertainment: 
there was a very good cocktail bar, where copious discussion 
of data security issues took place each evening while 
Victoria Paoletti and Jerry Garvin made great music at the 
piano next door. Last year’s CS7 venue, the Chicago Hilton 
and Towers, was made famous this year in the film The 
Fugitive. Itis up to Hollywood to decide whether CS/’s 
latest venue will be afforded the same star treatment. 
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END NOTES AND NEWS 


Stuck for a last minute Christmas present? The Survivor's Guide to 
Computer Viruses makes the perfect stocking filler. Both informative and 
highly readable, this one-shot reference book on computer viruses costs 
only £19.95. For further information, and for details of bulk purchase 
discounts, contact Victoria Lammer. Tel. +44 (0)235 555139. 


Central Point has launched an OS/2 version of Central Point Anti-Virus. 
The new productis designed to complement Central Point’s recently 
updated NetWare product, providing centralised virus reporting over a 
network. CPAV OS/2 costs £99 including four updates, and requires a 386 
machine or higher, running OS/2 2.x. Tel. +44 (0)81 848 1414. 


Sneakers type computer hacking is catching on in the United States, 
according to areport in Computer Fraud and Security Bulletin. 
Management companies suchas Price Waterhouse, are being approached 
by clients to provide ‘hacker-like’ penetration services to see where the 
weak points to their system are. Set a thief to catch a thief, and all that... 


TSR Review Follow-up.Commenting on McAfee Associates’ poor 
performance in the recent TSR review ( VB, September 1993 p.15), Phil 
Talsky, spokesman for McAfee, claimed that the performance of the TSR 
was ‘nota problem’ as long as users always used the scanner too. Many 
feel differently. David Merril, vice president of a Manhattan executive 
search firm, commented ‘I’m supposed to feel good about that sort of 
protection? Who’s writing anti-virus software - Beavis and Butthead?’ 


The National Computer Security Association has released its Fall 
catalogue, containing over 100 computer security-related items. 
Tel. +1 (717) 258 1816. Fax. +1 (717) 243 8642. 


Yes! Dr Solomon will float! S&S International’s buoyant Chairman has 
expressed his intention to take his company to arecognised stock market 
within two years. The company has recently been given two business 
excellence awards by Commerce Business Magazine. 


An International Symposium on Computer Crime will be held in Beijing, 
China, on 25th-27th October 1994. For further information, contact 
Mr Jing Qian- Yuan. Tel. +86 (1) 5121667. Fax. +86 (1) 512 1667. 


Patricia Hoffman’s VSUM ratings for October: 1. Command 
Software’s F-PROT Professional 2.09f, 95.5%, 2. McAfee Associates 
Viruscan V 108, 95.0%, 3. Sophos’ Sweep 2.53, 91.5%, 4. Dr Solomon’s 
AVTK 6.55, 90.4%, 5. Safetynet’s VirusNet 2.08a, 89.5%. NLMS: 
McAfee NetShield V 108, 93.7%, 2. Sophos Sweep NLM 2.53, 91.6%, 3. 
Dr Solomon’s AVTK NLM 6.54, 86.4%, 4. Command Software’s Net- 
Prot 1.00s 69.2%, 5. Cheyenne’s Innoculan 2.0/2.18g, 64.4%. 


Software piracy case lands perpetrators in prison.According toa 
report in Corporate Security Digest, one man is in prison and another 
serving home detention after being convicted of manufacturing and 
distributing at least 25,000 copies of MS-DOS. Itis believed that this is 
the first computer piracy case to result ina prison sentence. 


The problem of Novell NetWare password creation has been solved by 
Baseline Software’s latest product, Password Genie. One of the most 
common ways of breaking into acomputer system is by guessing 
passwords. Password Genie alleviates this problem by making sure that 
all users employ difficult-to-guess passwords at all times. Each password 
must pass 43 different tests in order for it to be acceptable. The software 
costs $395 per server, and can be run onall versions of NetWare from 
v2.x. Tel. +1 (415) 332 7763. 


AT&T has announced the launch of three programs designed to enhance 
the security of data and communications The software provides 
encryption, authentication and secure data transmission. ‘These programs 
offer key capabilities for anyone working on the road, from home, at 
remote sites or ina mobile office setting,’ said Bill Franklin, business 
development manager for AT&T Secure Communication Systems. 
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